Keeping passwords/credentials out of the cloud

Question

Under what circumstances will a current Android sync or otherwise send passwords off the device? The credentials in question are for:

WiFI

Non-Gmail email accounts accessed through the stock Gmail app

Other apps, eg. Twitter

This question is on behalf of a family member looking at acquiring a Pixel 3, but concerned over how such is handled (including whether apps are able to read each other's data). I've been able to find details of how the Gmail app works with credentials for Gmail accounts, but for other email types and the other cases the details seem more fuzzy (or the answers more than five years old).

It is of course expected that for email protocols such as POP3 the client will need to submit the credentials off the device to authenticate with the service; this question is about whether they might get sent somewhere else as well, for whatever reason, and whether this can be controlled.

— Lofteyn | Sources

Answer

The Wifi credentials are automatically synced to the Google Cloud if you have enabled the setting "Backup to Google Drive" (Android settings).

Regarding the credentials (e.g. username and password) used by other apps there is no way to say something in general. Those apps may or may not store the required credentials in a secure way. Modern Android systems (Android 5 and newer) provide some relative secure mechanisms for using encryption keys that are maintained by Android itself. Those keys can then be used for encrypting the credentials before saving them to the flash memory. But using encryption the correct and secure way isn't easy. A lot of app developers use the easy and sloppy way and store credentials more or less in plain text.

Also the automatic backup into the cloud comes into play - if the app developer has not configured it correctly the stored credentials are backuped/synced into the Google cloud (if enabled system-wide, see first section).

Last but not least the is your question about the possibility to detect if an app sends credentials into the net. Unfortunately the only answer is: If the app developer wants to do so the app can do it. Additionally this can also be done by any development library the developer includes into the app (advertising, tracking, ...).

— Robert | Sources

Q & A

After moving gatekeeper.pattern.key to unlock, Settings>Security keeps crashing

Charger with long usb cable

On Honor 6x camera is slow to start. Any solutions?

How do I turn off speech-to-text censorship in Android 7?

adb shell error: device not found (Ubuntu)

How to change default video player app inside Hangouts

How to turn off auto suggestion popups in Google Keep?

Tasker - turn off wifi IF there's no internet connection

Can I install Android P Beta to my Galaxy S8?

Where can I add xposed modules to systemless xposed framework?

How to watch Youtube with screen off on any Android without a Youtube Premium subscription

How do I delete podcasts downloaded by podbean?

Find My Device says "can't reach device", but I can make it ring

Xiaomi Mi5s plus' display won't turn on after updating LOS

Company account terminated

Infinity loading of centrain Google Apps on Italian SIM

Prevent disable power saving while charging [root]

Can I install packages to external SD card on Termux in Android?

how to ignore folder when using adb push

What is the meaning of "a5ultexx" in terms of phone models?

Topics

2D Engines 3D Engines 9-Patch Action Bars Activities ADB Advertisements Analytics Animations ANR AOP API APK APT Architecture Audio Autocomplete Background Processing Backward Compatibility Badges Bar Codes Benchmarking Bitmaps Bluetooth Blur Effects Bread Crumbs BRMS Browser Extensions Build Systems Bundles Buttons Caching Camera Canvas Cards Carousels Changelog Checkboxes Cloud Storages Color Analysis Color Pickers Colors Comet/Push Compass Sensors Conferences Content Providers Continuous Integration Crash Reports Credit Cards Credits CSV Curl/Flip Data Binding Data Generators Data Structures Database Database Browsers Date & Debugging Decompilers Deep Links Dependency Injections Design Design Patterns Dex Dialogs Distributed Computing Distribution Platforms Download Managers Drawables Emoji Emulators EPUB Equalizers & Event Buses Exception Handling Face Recognition Feedback & File System File/Directory Fingerprint Floating Action Fonts Forms Fragments FRP FSM Functional Programming Gamepads Games Geocaching Gestures GIF Glow Pad Gradle Plugins Graphics Grid Views Highlighting HTML HTTP Mocking Icons IDE IDE Plugins Image Croppers Image Loaders Image Pickers Image Processing Image Views Instrumentation Intents Job Schedulers JSON Keyboard Kotlin Layouts Library Demos List View List Views Localization Location Lock Patterns Logcat Logging Mails Maps Markdown Mathematics Maven Plugins MBaaS Media Menus Messaging MIME Mobile Web Native Image Navigation NDK Networking NFC NoSQL Number Pickers OAuth Object Mocking OCR Engines OpenGL ORM Other Pickers Parallax List Parcelables Particle Systems Password Inputs PDF Permissions Physics Engines Platforms Plugin Frameworks Preferences Progress Indicators ProGuard Properties Protocol Buffer Pull To Purchases Push/Pull QR Codes Quick Return Radio Buttons Range Bars Ratings Recycler Views Resources REST Ripple Effects RSS Screenshots Scripting Scroll Views SDK Search Inputs Security Sensors Services Showcase Views Signatures Sliding Panels Snackbars SOAP Social Networks Spannable Spinners Splash Screens SSH Static Analysis Status Bars Styling SVG System Tags Task Managers TDD & Template Engines Testing Testing Tools Text Formatting Text Views Text Watchers Text-to Toasts Toolkits For Tools Tooltips Trainings TV Twitter Updaters USB User Stories Utils Validation Video View Adapters View Pagers Views Watch Face Wearable Data Wearables Weather Web Tools Web Views WebRTC WebSockets Wheel Widgets Wi-Fi Widgets Windows Wizards XML XMPP YAML ZIP Codes