You think I'm storing passwords? I would never do that. I store an oauth2 token, and for some cloud services the account name that was used (as it's needed for some services like Google Drive), and that is it. That's also stored in the preference files (hidden from user access) and not included with backups or exported settings, as mentioned. There is literally no way for users to get access to that information unless they rooted their device, and even then, they are just getting an account name which is relatively useless by itself. Oauth2 tokens also expire after short while and have to be refreshed. This is all happening through each company's SDK, so I'm not even the one handling the oauth2 stuff.
Mike
Mike