Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AccountManager.confirmCredentials issue

I'm trying to use AccountManager.confirmCredentials method for user verification in my app. I'm using it like that:

    AccountManager am = AccountManager.get(ctx);
    am.confirmCredentials(account, null, ctx, new AccountManagerCallback<Bundle>() {
        @Override
        public void run(AccountManagerFuture<Bundle> amf) {
            try {
                Bundle b = amf.getResult();
                boolean r = b.getBoolean(AccountManager.KEY_BOOLEAN_RESULT);
                vc.onValidateResult(r);
                return;
            } catch (OperationCanceledException ignore) {
            } catch (AuthenticatorException ignore) {
            } catch (IOException ignore) {
            }
            vc.onValidateResult(false);
        }
    }, null);

But found a gap in its implementation since Android 5. A user can clear the proposed account name in the Google authorization form and use his/her own. The result will be positive, and there is no ability to verify if the requested account name was used for confirmation because the got bundle has only timestamp and resulting boolean value. In other words, the bundle doesn't have KEY_ACCOUNT_NAME field, however, accordingly to the reference it should.

Does anyone know how to work around this breach?

like image 457
Orange Avatar asked Jul 31 '19 10:07

Orange


People also ask

What is android AccountManager?

android.accounts.AccountManager. This class provides access to a centralized registry of the user's online accounts. The user enters credentials (username and password) once per account, granting applications access to online resources with "one-click" approval.

Is Android account manager secure?

Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB. A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.

What is Account Manager app?

Accounts Manager app can be used to track your daily income and expense transaction as per your need. Easy Entries: Account Manager App is easy in adding, deleting and canceling a credit or debit entry.


1 Answers

According to documentation:

If no activity or password was specified, the returned Bundle contains KEY_INTENT with the Intent needed to launch the password prompt. Also the returning Bundle may contain KEY_LAST_AUTHENTICATED_TIME indicating the last time the credential was validated/created.

If your result does not contain Account Name, then it must be due to above scenario. You should check if the intent contains KEY_INTENT and if it does then launch that intent to verify.

like image 62
Zohaib Amir Avatar answered Oct 23 '22 11:10

Zohaib Amir