Should you use AccountManager for storing Usernames and Passwords for an Android app?

Question

I would like to know if one should implement AccountManager to save user credentials such as username, email, passwords etc. I can\'t find a good reason to use

Answer 1

Overview

Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB.
A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.

But even the AccountManager is not fully secured in case of lost phone for example, see this for more info.

Good practice(s)

• I would recommend to use the AccountManager and not store the password in clear but the hash.
• And for a better level of security it's even better to store a device dedicated token delivered by the webservice and associated to the account (on the webservice side) and enable the user to revoke the token.

Not good

• Do not store a clear or even hashed password as a file or in a DB accessible by anyone.
• Never store a clear password but always work with a hash instead.

See also

• What protects Android AccountManager passwords from being read by other apps?
• http://developer.android.com/training/articles/security-tips.html#Credentials