Keeping passwords/credentials out of the cloud

Question

Under what circumstances will a current Android sync or otherwise send passwords off the device? The credentials in question are for:

WiFI

Non-Gmail email accounts accessed through the stock Gmail app

Other apps, eg. Twitter

This question is on behalf of a family member looking at acquiring a Pixel 3, but concerned over how such is handled (including whether apps are able to read each other's data). I've been able to find details of how the Gmail app works with credentials for Gmail accounts, but for other email types and the other cases the details seem more fuzzy (or the answers more than five years old).

It is of course expected that for email protocols such as POP3 the client will need to submit the credentials off the device to authenticate with the service; this question is about whether they might get sent somewhere else as well, for whatever reason, and whether this can be controlled.

— Lofteyn | Sources

Answer

The Wifi credentials are automatically synced to the Google Cloud if you have enabled the setting "Backup to Google Drive" (Android settings).

Regarding the credentials (e.g. username and password) used by other apps there is no way to say something in general. Those apps may or may not store the required credentials in a secure way. Modern Android systems (Android 5 and newer) provide some relative secure mechanisms for using encryption keys that are maintained by Android itself. Those keys can then be used for encrypting the credentials before saving them to the flash memory. But using encryption the correct and secure way isn't easy. A lot of app developers use the easy and sloppy way and store credentials more or less in plain text.

Also the automatic backup into the cloud comes into play - if the app developer has not configured it correctly the stored credentials are backuped/synced into the Google cloud (if enabled system-wide, see first section).

Last but not least the is your question about the possibility to detect if an app sends credentials into the net. Unfortunately the only answer is: If the app developer wants to do so the app can do it. Additionally this can also be done by any development library the developer includes into the app (advertising, tracking, ...).

— Robert | Sources

Q & A

Multiple partitions on sdcard (fat, exfat) on Android?

Save offline Google maps to SD card

How can I require my Android (latest version) phone to require BOTH a fingerprint and a password?

Why don't I see my custom ringtone under Default Notification Sounds?

How am I supposed to know if my smartphone is ARM or 86x?

Charging during filetransfer

No fingerprint reader after adding self signed certificate

Is there an android app that turns off sound certain times of the week (like at work)?

Deleted play store accidently form my rooted Sony Xperia C2305 using lucky patcher

YouTube app comments

Nexus 5 unable to reflash

Does using Android Instant Apps count as installation on Play store?

How to color status bar and navigation bar

Where are the battery capacity files located?

Camera partial crash in CM13

Use mobile internet though connected to WLAN

Storage problem?

Mirror/push Android notifications to iOS device

Missing 2G only on my Galaxy s4 I9505 on lollipop

Nexus 4 stuck in boot loop

Topics

2D Engines 3D Engines 9-Patch Action Bars Activities ADB Advertisements Analytics Animations ANR AOP API APK APT Architecture Audio Autocomplete Background Processing Backward Compatibility Badges Bar Codes Benchmarking Bitmaps Bluetooth Blur Effects Bread Crumbs BRMS Browser Extensions Build Systems Bundles Buttons Caching Camera Canvas Cards Carousels Changelog Checkboxes Cloud Storages Color Analysis Color Pickers Colors Comet/Push Compass Sensors Conferences Content Providers Continuous Integration Crash Reports Credit Cards Credits CSV Curl/Flip Data Binding Data Generators Data Structures Database Database Browsers Date & Debugging Decompilers Deep Links Dependency Injections Design Design Patterns Dex Dialogs Distributed Computing Distribution Platforms Download Managers Drawables Emoji Emulators EPUB Equalizers & Event Buses Exception Handling Face Recognition Feedback & File System File/Directory Fingerprint Floating Action Fonts Forms Fragments FRP FSM Functional Programming Gamepads Games Geocaching Gestures GIF Glow Pad Gradle Plugins Graphics Grid Views Highlighting HTML HTTP Mocking Icons IDE IDE Plugins Image Croppers Image Loaders Image Pickers Image Processing Image Views Instrumentation Intents Job Schedulers JSON Keyboard Kotlin Layouts Library Demos List View List Views Localization Location Lock Patterns Logcat Logging Mails Maps Markdown Mathematics Maven Plugins MBaaS Media Menus Messaging MIME Mobile Web Native Image Navigation NDK Networking NFC NoSQL Number Pickers OAuth Object Mocking OCR Engines OpenGL ORM Other Pickers Parallax List Parcelables Particle Systems Password Inputs PDF Permissions Physics Engines Platforms Plugin Frameworks Preferences Progress Indicators ProGuard Properties Protocol Buffer Pull To Purchases Push/Pull QR Codes Quick Return Radio Buttons Range Bars Ratings Recycler Views Resources REST Ripple Effects RSS Screenshots Scripting Scroll Views SDK Search Inputs Security Sensors Services Showcase Views Signatures Sliding Panels Snackbars SOAP Social Networks Spannable Spinners Splash Screens SSH Static Analysis Status Bars Styling SVG System Tags Task Managers TDD & Template Engines Testing Testing Tools Text Formatting Text Views Text Watchers Text-to Toasts Toolkits For Tools Tooltips Trainings TV Twitter Updaters USB User Stories Utils Validation Video View Adapters View Pagers Views Watch Face Wearable Data Wearables Weather Web Tools Web Views WebRTC WebSockets Wheel Widgets Wi-Fi Widgets Windows Wizards XML XMPP YAML ZIP Codes