I’m trying to develop an attendance application. Therefore, I would like to minimize identity spoofing where a user signs the attendance for their friend by persisting the user logged in status in the application without uninstalling it.
For example, Facebook persists user data even when the user does Clear Data in Settings → Storage. And Telegram is able to show a Manage Storage button instead of the Clear Data button inside Settings → Storage which makes it difficult to clear the user data.
How do both these apps perform these kinds of actions? I am able to persist user authentication data when the user kills the app in the background. However, my data cannot "survive" through the Clear Data process.
2
Answers
I’d believe that those apps are simply using this backup mechanism: https://developer.android.com/guide/topics/data/backup.html
Specifically, because all you would need to backup is the a user token (for example) to be able to access your own servers and authenticate, and well… then restore all the data you want.
The documentation say it very clearly:
Also (it’s a Key/Value storage, like SharedPreferences):
You don’t even need to be logged in.
This is easily done through the setting android:manageSpaceActivity for
application
block in AndroidManifest. If you set some Activity on it then theClear Data
button automatically changes onManage Storage
and will open your Activity by click.