Android - best practices for authorization

Question

I am researching how to autenticate and authorize user within Android application

For autentication there is the AccountManager but I am not sure how to check whether the user is signed in or not. I know how to set up AccountAuthenticatorActivity and AuthenticatorService but I am not sure how its connected with the application.

Am I supposed to call some check on every onCreate in every activity to ensure that the user is signed in or does the service does that for me somehow?

If I am supposed to do some regular checking, what is the best practice towards where such checking should be called?

Answer 1

It depends on your application, really. Unless you have a requirement for very strict security, like a financial application, government application, etc. I think you could get by with a simpler approach. For example, after a user logs in (however you choose to implement this) store a value in SharedPreferences to denote the user has authenticated. From here, you could do one of the following:

1. If your application requires you authenticate every activity/fragment you launch, simply check this SharedPreferences value. You could also create a base activity that all your other activities extend and do your authentication check there.
2. If you only need to authenticate once, modify your launcher activity in your manifest to check for this value. If the user has authenticated already, create a new Intent for your 'home' activity and redirect your user and finish() the launcher activity.