8

It bothers me that my Android Phone is permanently logged into my Gmail account.

I want to logout from the device and somehow make the phone ask for username/password when connecting to my account.

It seems there is no such option. What are my options?

P.S. Please don't suggest to lock my phone when not in use. I already do that.

zsad
  • 89
  • 1
  • 1
  • 2

3 Answers3

14

Being "logged in" is a misconception. Even when you are "logged in" when you use a browser, this is handled by the storage of a cookie with an authentication token stored in it. On the device is sort of the same, except it is not a "cookie". When you set up your account, an authentication token is requested and stored on the device. A new token can also be exchanged at other times, but you are unaware that it even happens.

When the applications, like gmail, go and check for new mail, they use that token to tell the gmail servers that you are "you". The reason you can't "sign out" is because then you would not be able to check for new mail, get application updates and other things like that that happen in the background. If you were to sign out, then every couple minutes you would have to put in your credentials so your device could check for updates and new mail.

A large set of the services built-in to android use your authentication token. Even when you create, edit, or delete a contact on your device, because it syncs that data to your account on google servers. Calendar appointments, gTalk, Google Voice, the search widget, voice-to-text, push notifications (for just any service that uses C2DM), and any other service that may show up under your google account in Accounts & Sync can and will need this authentication token at any given time.

It is more like you are logged in to your PC (Windows, Linux, OSX) then logged in to any particular google service.

Ryan Conrad
  • 22,673
  • 9
  • 58
  • 81
  • So everyone who has that token can go into my mail account with it? – zsad Feb 01 '12 at 17:07
  • 2
    How would they get your token? But, yes, in theory, if someone got a currently valid token for you, then they could access your data. All of the communications that google uses for your information is over HTTPS so the data is encrypted. Tokens are unique to you, someone else will not get "your token". – Ryan Conrad Feb 01 '12 at 17:32
  • A large set of the services built-in to android use your authentication token. What about "any" app? Can some (malicious) installed application get to the token and send it somewhere for someone to use? – zsad Feb 01 '12 at 17:53
  • 1
    Any "normal" application, can use your account to authenticate you, but google still limits the data that could be accessed. Even if it was something like getting contacts, you would see in the applications permissions that it needed access to contacts, and if the app is not something that would need that information, then don't install it. – Ryan Conrad Feb 01 '12 at 18:00
  • 2
    But your PC can't get stolen/lost that easily. Everything you listed doesn't explain why you can't add the option to 'sign out' - invalidate your token (the same way you do on a browser) - when you want to (e.g., when you turn off your phone), while being aware that while you are 'signed out' some features will not work. This is security 101. – Asaf Feb 23 '12 at 08:42
  • Alright OP, think about this, your handset is within the boundaries of your wifi network right? You've put all the necessary firewalling restrictions in place, of course, including WPA2 at least, then... if you're raising this issue, and your argument countering Ryan Conrad's answer , within the vicinity of your wall of security, how can anyone perform MITM attack, you'd want to have an "attacker" on the outside within your vicinity, what I'm trying to say is, common-sense comes into play here. – t0mm13b Jun 30 '12 at 01:15
  • None of the services that use the authentication token can be used to steal my identity and reset all my passwords except Gmail. You need to be able to sign out of that. If I could, I wouldn't need a lock password at all. Lock passwords are like making you log into Windows every three minutes. – Noumenon Dec 15 '13 at 22:48
11

There's no way to do this. It's been posed on Gmail's support forums in the past and the answer has always been (from the linked discussion above):

... Google's native apps on Android phones are designed to use the phone itself to sign in and out. If you're concerned about account security on your phone I recommend you add a lock pattern or PIN to your phone (visit Settings > Location & security settings to set these up).

If you want to disassociate your account you can perform a factory reset, which will erase all of your personal data and require you to set up the account again. This isn't really practical as a "sign out" method, though, since you'd have to completely re-create the account to access it.

I suppose you could also go to a web browser and change your Gmail password to effectively "log out" your phone and prompt for the new password, but then you'd have to change it after every time you've accessed the Gmail app. Again, not practical.

eldarerathis
  • 36,787
  • 16
  • 144
  • 175
0

The primary advantage of Gmail being a native app is that it keeps your emails synchronized and for getting new mail notifications, but if you really don't want to stay logged in and can accept that not being logged on means you won't get synchronizations or notifications, then just don't use the Gmail app. You can check your email through Gmail's mobile webmail instead.

Lie Ryan
  • 19,073
  • 6
  • 65
  • 83