For a long time now I've not liked the descriptions of many of the permissions for Android apps, I'm not going to get into detail as I don't have a lot of time. My most recent look at permissions came about while I'm looking at using Evernote. I noticed the app Evernote Hello which does look interesting. What I don't like is that it has these permissions listed:
ACT AS AN ACCOUNT AUTHENTICATOR
Allows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
MANAGE THE ACCOUNTS LIST
Allows the app to perform operations like adding and removing accounts, and deleting their password.
It's the part about being able to change/get passwords like sounds really bad to me. So I decided to do a bit of digging into the API regarding the AccountManager . I found that it has this line along with the authenticator permissions:
This method requires the caller to hold the permission AUTHENTICATE_ACCOUNTS and to have the same UID as the added account's authenticator.
which basically means that for the most part that permission should not be so bad. I exported a list of apps to see what shared UIDs were used. The Evernote Hello app doesn't even share a UID with the main Evernote app. So I don't know what they use the permission for so I've submitted the question to the support desk.
The Manage accounts permission looks like it does not have the same restriction but deals with the local version of the account only. So deleting a password does not affect the account on whatever server (e.g. gmail or facebook).
But I wonder if using AccountManager.updateCredentials it would be possible to get a user to type a password into a spoof screen and log it. Mainly due to this part in the API docs:
"The Activity context to use for launching a new authenticator-defined sub-Activity to prompt the user to enter a password; used only to call startActivity(); if null, the prompt will not be launched directly, but the necessary Intent will be returned to the caller instead".
There's a good chance I'm being incredible paranoid about this with big companies like Evernote or Facebook. But it is certainly not a permission I would allow on an app from a random developer that I've never heard of before.