Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Check if a device google account is authenticated, only then allow access to my offline app

I have a private app which works totally offline (i.e. no server data sent/recieved), however I have a need to restrict it only to users with a valid Google account on their phone. I can get make sure there is a suitable account on the phone by iterating a list of phone accounts, but is it possible to check the account is valid/authenticated without me having to introduce the full OAuth process? I have no need to get a cookie or send any data to a server.

Ideally I'd like to do something like: 1. Check with the account manager for an auth token. 2. If token recieved then allow access to the app. Currently without any checks via the account manager, anyone could create a fake account on the phone and then gain access even if they put in a email/password and they would never be authorised.

I hope I've explained this clearly. As my app has no network connectivity so I would like to avoid adding any of my own network/oauth checking.

like image 837
sham Avatar asked Apr 03 '14 16:04

sham


2 Answers

What about this:

AccountManager manager = AccountManager.get(this);
Account[] accounts = manager.getAccountsByType("com.google");
final boolean connected = accounts != null && accounts.length > 0;

The connected boolean will indicate if there is a connected Google account in the phone.

Indeed there won't be any check on the token, but if the account is registered on the phone, then Google checked it before, server-side, to validate it...

like image 75
Jeje Doudou Avatar answered Nov 08 '22 03:11

Jeje Doudou


How about implementing Google Plus login API? It's not really setting up a full OAuth process since G+ it's fairly simpler, even if it is actually built on top of OAuth.

I use that in an app I'm developing that also does not require online access (except for initial G+ login access).

What I do is the first time the app is run I present the G+ login button. After user clicks on it he can accept the permissions request from my app (to be able to retrieve user email and some basic profile info, i.e. minimum permission needed) and if the API client connects correctly then I present the user with the dashboard or home screen and also set up a flag in SharedPreferences about the user being already authorized.

In this way, the next time the user starts the app it will remember it was already authorized and just ask the API client to connect (only if the access was revoked from the account's Play Store website do we need to re-verify that the user auth is still valid), and everything should work. If the user revokes the access to his G+ profile from my app, I clear the flag so the next time the user runs it it asks for authorization again.

It's actually very simple and at least for my use case (Which sounds very similar to yours) it works for what I want it with minimum user intrusion.

I strongly suggest you try out something like this Google Plus login tutorial

Edit: You can also check this question I asked before, about working with multiple activities that need Google Plus functionality

Also, forgot to say that with this method you are always sure that the user account is always valid since you are checking directly with Google's servers about its validity.

like image 32
Acapulco Avatar answered Nov 08 '22 03:11

Acapulco