Shouldn't Android AccountManager Store OAuth Tokens on a Per-App/UID Basis?

Question

Android\'s AccountManager appears to fetch the same cached auth token for apps with different UIDs - is this secure? It does not seem compatible with OAuth2, since access tokens

Answer 1

I'm facing the same architectural problem for an app.

The solution that I got is to associate/hash the oauth token, with the app vendor token (ex. the token that facebook give to an app), and to device id (android_id). So only the app authorized, for the device is able to use the token from account manager.

Of course, it's just a new layer of security, but no bullet proof.