Disable silent access to account in account manager from 3rd party apps

Question

Hi I have a question related to Android's account manager.. My app injects an account into it, thus it is accessible also by other apps installed on the device. I thought that once any app would ask the system for the data stored in the account, it should ask the user first (the classic android auth screen, with two buttons which tells the user that the app wants access to the account). However, I tried it right now, I wrote simple app which purpose is only to populate stored authentication token from the account manager. It worked. It work just great except there wasn't any step asking the user for permission, it just shows the token. Please how I need to configure the account to not be public?

Below is the code I used for accessing the account. I only used the type of the account and type of the token. Thats all.

  AccountManager accountManager = AccountManager.get(this);
    assert accountManager != null;
    Account[] kosAccounts = accountManager.getAccountsByType("account_type");
    if(kosAccounts.length < 1) tokenView.setText("no account");
    else{
        accountManager.getAuthToken(kosAccounts[0],"token_type",null, this, new AccountManagerCallback<Bundle>() {
            @Override
            public void run(AccountManagerFuture<Bundle> future) {
                try {
                    Bundle result = future.getResult();
                    if(result == null) tokenView.setText("problem");
                    else{
                        tokenView.setText(result.getString(AccountManager.KEY_AUTHTOKEN));
                    }

                } catch (OperationCanceledException e) {
                    e.printStackTrace();
                } catch (IOException e) {
                    e.printStackTrace();
                } catch (AuthenticatorException e) {
                    e.printStackTrace();
                }

            }
        }, new Handler());
    }

And this the code I use for creating the account (from another app)..it is actually stripped down version of the code, I deleted all the clutter information you dont need to help me:)

final AccountManager accountManager = AccountManager.get(getApplicationContext());
final String username = getUserDataResponse.getString("username");
final String authToken = getUserDataResponse.getString("token"); // null pointer
final Account account = new Account(username, AuthenticatorConfig.ACCOUNT_TYPE);

accountManager.addAccountExplicitly(account, null, null);
accountManager.setAuthToken(account, AuthenticatorConfig.AUTH_TOKEN_TYPE, authToken);

Answer 1

Ok so the answer is rather simple..The certificate matter! If those apps are signed with different certificates, the screen appears.