Just FYI: I am still using non-OAuth authentication on a desktop and on my phone, in Aquamail.
Actually, Kostya, I have a question about that.
One of the reasons (or, maybe motivations) for that was the following line of thought:
With OAuth2, the authentication to the Google account is handled by the phone itself, and there is a potential for any other app that has access to the "accounts" on the phone may:
1. Realize relation between different Google accounts of mine.
and even
2. Gain access to those accounts (by exploiting some unpatched vulnerability in Android in combination with the weaknesses of OAuth2 [implementation]).
I thought, that the password-based authentication information stored by Android would be less prone to both of those.
Is there a reasonable merit in this consideration, or are the password-based accounts created by Aquamail as vulnerable?
(I am not considering cases when the phone is completely compromised to the level of system/root permissions, when the entire system is accessible to the code with those permissions.)
And finally, with an OAuth2-based authentication in Aquamail, can Google Play service(s) (and, hence other Google apps) on the phone obtain access to that account, or is that Oauth2 token limited to Aquamail? (And, sorry, this is a deeper question: What actually pins it to Aquamail only?)