Managing App Passwords and Connected Apps on Android

Whenever you use your Google account to sign into a third-party fitness app, a discount shopping portal, or a mobile game, you create a digital tether that often remains active long after you have stopped using the service. These "Sign in with Google" prompts are convenient, but they bypass the traditional security barrier of unique passwords, often granting external developers broad permissions to view your email address, profile photo, or even your Google Drive files. Managing app passwords android and monitoring these connected services is one of the most effective ways to reduce your digital footprint and prevent data leaks stemming from third-party breaches.

I have spent the last week testing these privacy controls across a Pixel 8 Pro on Android 15, a Samsung Galaxy S24 running One UI 6.1, and a Xiaomi 14 Ultra on HyperOS. While the core Google account settings remain consistent, the path to find them varies depending on how your manufacturer has skinned the Android interface. In this guide, we will clear out the digital clutter by identifying which apps are piggybacking on your account and how to sever those connections without losing your data. We will also look at the specific differences between standard OAuth connections and the legacy app-specific passwords used for older software that doesn't support modern sign-in protocols.

Finding the connected-apps list

Finding the list of connected apps is your starting point for any privacy audit. On a device running stock-like Android 13, 14, or the newer Android 15 (such as a Pixel or a Motorola phone), follow this path: 1. Open the Settings app. 2. Scroll down and tap Google. 3. Select the "All services" tab if it is not already selected. 4. Tap "Settings for Google apps" at the bottom of the list. 5. Choose "Connected apps." This menu synchronises directly with your Google Account, showing every external service that has requested and received a token to access your information.

If you are using a Samsung device with One UI 6 or the upcoming One UI 7, the path is slightly modified to fit Samsung's menu structure. Go to Settings > Google > Recommended (or All services) > Settings for Google apps > Connected apps. Samsung often prioritises its own account services, but for cross-platform app management, the Google menu is where the most critical third-party data resides. On Xiaomi devices running HyperOS, the pathway remains Settings > Google > Settings for Google apps > Connected apps, though you may notice high-contrast UI elements that look different from the Pixel's Material You aesthetic.

It is important to note that this list distinguishes between "Total apps and services" and those specifically using "Sign in with Google." As of Android 14, Google has improved the transparency of this list by categorising apps based on when they were last accessed. If you see an app in this list that you haven't used in over six months, it is a prime candidate for removal. The list also includes "App passwords" for older devices or apps that do not support modern security prompts. If you have previously set up app passwords android for an old desktop email client or a scanner, they will appear here as unique, 16-character codes that bypass two-factor authentication.

When viewing this list on any version of Android, pay close attention to the small print under each app name. It will often say "Has access to: Google Drive" or "Has access to: Your basic profile info." Android 15 has started to unify these views more cleanly, but the underlying data remains the same. The goal here is to identify any service you no longer recognise or use. In my testing, I found three defunct photo-editing apps from 2021 that still had permission to view my Google Contacts—a clear privacy risk that provides the developer with data they no longer need to provide their service.

What each scope means

When you click on an entry in the Connected Apps list, you will see a breakdown of the "scopes" or permissions the app holds. Understanding these is vital because not all access is created equal. The most common scope is "Basic profile information," which includes your name, email address, and profile picture. This is relatively low-risk, as it is the information required to create a user account for you. However, once you see permissions like "Read, edit, create and delete all your Google Drive files," you are looking at a much higher level of exposure. This is often requested by backup utilities or PDF editors, but it gives the developer significant power over your cloud storage.

Another common scope is "Google Calendar," which allows apps to read your schedule or even add events on your behalf. Travel apps or productivity tools frequently request this. On Android 13 and 14, Google began enforcing more granular controls over how these scopes are presented to the user during the initial sign-in process, but older apps may still hold broad, "legacy" permissions that were grandfathered in. If an app has "Full account access," this is a red flag. Only official Google apps should have this level of control; third-party apps should never require it, and you should revoke it immediately if found.

On Samsung and Xiaomi devices, you might see additional system-level permissions tagged onto these Google scopes. For example, HyperOS sometimes flags apps that have both Google Account access and high-level Android system permissions (like Accessibility services). Managing app passwords android also falls into this category: if an app is using a generated 16-digit password, it essentially has the same access as your main password but without the protection of 2FA. These are common for legacy IMAP/SMTP email setups on older Android versions but should be replaced with modern OAuth logins whenever possible for better security.

You should also look for "Cross-account sharing" permissions. Some modern integrations allow a service to share your data with other partners they have. This is particularly prevalent in the "Sign in with Google" ecosystem. Android 15 introduces more specific labeling for these instances, clearly marking when an app uses your Google identity to synchronise settings across different platforms (like your phone and your smart TV). If the scope says "View your email address," it sounds harmless, but it also provides a persistent identifier that advertisers can use to track you across different websites and services.

Revoking access

Revoking access is a straightforward process, but it has consequences you must understand. To remove an app on any Android device: 1. Navigate to the Connected Apps list mentioned previously. 2. Tap on the specific app you wish to remove. 3. Scroll to the bottom and tap "Delete all connections you have with [App Name]." 4. Confirm the choice by tapping "Confirm" on the pop-up dialogue. On Android 14 and 15, you will receive a secondary warning if the app is currently using your account for active storage, such as Google Drive backups.

Once you revoke access, the app will no longer be able to pull new data from your Google account. However, this does not delete the data the developer has already collected on their own servers. To fully purge your information, you would typically need to log into the app's own website or support portal and request a data deletion under GDPR or CCPA regulations. Revoking the Google connection simply stops the ongoing data "leak" from your Google account to that third party. On Samsung One UI, I have noticed that revoking a Google connection sometimes triggers a notification from the Galaxy Store if the app was originally downloaded from there, offering a chance to uninstall the app entirely.

If you are managing app passwords android for legacy software, the process is slightly different. Instead of revoking a "connection," you are deleting a specific "App Password." This is done through Settings > Google > Manage your Google Account > Security > App passwords (you may need to search for this in the search bar if it is hidden). Deleting an app password will immediately lock that specific piece of software out of your account. The next time you open that old email client or server tool, it will prompt for a password; this is your cue to either generate a new one or, ideally, switch to a client that supports modern, secure sign-in methods.

Xiaomi's HyperOS has an additional "Security Scan" feature that occasionally flags apps with high-level account access. If you revoke access through the Google menu, HyperOS will update its security status during the next scan. It is a good practice to restart your phone after a major cleanup of 10 or more apps. This ensures that any background tokens stored in the system cache are cleared, forcing any app you kept to re-authorise if necessary. I recommend doing this on any device, whether it is a Budget Redmi or a flagship Pixel, to ensure the privacy changes are fully instantiated at the system level.

Samsung account equivalent

Samsung users have a secondary layer of "Connected Apps" to manage: the Samsung Account. This operates independently of your Google account and is used for services like Samsung Cloud, SmartThings, and Samsung Pay. If you use a Galaxy device, you must audit this list as well, as many "Galaxy Store" apps bypass Google entirely. To find this: 1. Go to Settings. 2. Tap your Name/Email at the very top (Samsung Account). 3. Tap on "Security and privacy." 4. Tap "Connected services." 5. Here you will see "Samsung apps" and "Third-party services."

The third-party services list in Samsung's ecosystem is often populated by smart home brands (like Philips Hue or TP-Link) that you have linked to SmartThings. Revoking access here works similarly to Google's menu: tap the service and select "Disconnect." One UI 6.1 adds a "Privacy Dashboard" that shows exactly when these Samsung-connected apps accessed your location or camera in the last 24 hours. This is a level of granularity that often exceeds what you find in the standard Google Connected Apps menu, making it vital for Samsung owners to check both locations.

A unique feature on Samsung devices is the "Linked accounts" section under the Samsung Account settings. This often includes your Microsoft account (used for Gallery/OneDrive sync). If you are looking to untether your phone from Microsoft's ecosystem while maintaining your Google connection, this is where you perform that operation. Unlike the temporary tokens used for app passwords android, these linked accounts often involve deep system integration, allowing OneDrive to display your photos directly inside the Samsung Gallery app. Severing this link will stop the sync immediately, though your photos will remain on whichever device they were last downloaded to.

Xiaomi has a similar setup with the "Mi Account" (Xiaomi Account), found in Settings > Xiaomi Account > Devices / Connected Accounts. While less commonly used in Western markets for third-party app logins, it is central to the Xiaomi ecosystem. If you use Mi Home or Xiaomi-branded wearable apps, check this section to ensure no rogue devices are still attached to your account. HyperOS has made these menus much easier to find than in the old MIUI days, aligning more closely with the standard Android "Privacy" header found on Pixels.

OAuth basics

Understanding OAuth (Open Authorization) is key to knowing why you don't always need app passwords android. OAuth is the technology behind "Sign in with Google." Instead of giving an app your actual password, Android sends a "token." This token tells the app, "Google has verified this user is who they say they are, and they have granted you permission to see their email address." The beauty of this system is that the third-party app never sees your Google password, and you can revoke that specific token at any time without having to change your main Google password.

This is significantly more secure than the "Less Secure Apps" method or legacy app passwords. When an app uses OAuth, it generates a unique digital key that only works for that specific app and that specific set of permissions. This is why, when you revoke access in the "Connected apps" list, the app stops working instantly. It no longer has a valid token. On Android 13 and above, the system uses a more secure version of this exchange that often involves "Refresh Tokens," which allow the app to stay logged in without asking you every time, but these are still governed by the central Google security settings.

One major advantage of OAuth on modern Android versions (14 and 15) is the "Credential Manager." This is a new system API that unifies Google Sign-in with Passkeys. When you use this, the connection isn't just a simple token; it can be tied to your thumbprint or face unlock. This makes "app passwords android"—in the sense of typing in a string of characters—obsolete for most users. If an app asks you to "Enable Less Secure App Access" or requires you to manually type a generated 16-digit code, you should consider finding an alternative app. Those methods do not support modern encryption standards and are a legacy loophole that hackers can exploit.

When you are prompted to sign in with your Google account on a Xiaomi or Samsung device, the system often uses "Standard Chrome Tabs" to handle the OAuth handshake. This ensures that your credentials are entered into a secure Google-owned browser window rather than an "In-App Browser" controlled by the developer. Always check the URL at the top of these sign-in prompts. It should always start with accounts.google.com. If it doesn't, do not enter your details, as it may be a phishing attempt designed to look like a standard Android system prompt.

Audit schedule

Privacy is not a "set and forget" task; it requires a routine. I recommend performing a "Connected Apps Audit" every three months, or at least every time your phone receives a major OS update (like moving from Android 14 to Android 15). Developers frequently change their privacy policies or are acquired by other companies, meaning the app you trusted last year might be owned by a data brokerage today. By checking your "Connected apps" list quarterly, you ensure that only the services you currently value have a doorway into your Google account.

A good way to remember this is to tie it to your "Google Play System Update." These updates arrive monthly on Pixels and most modern Samsung/Xiaomi devices. When you go to Settings > Security & privacy > System & updates to check for these, take an extra 60 seconds to tap on the Google Account security settings and scan the app list. Look for anything called "Project [Name]" or "Test App"—these are often remnants of beta tests you may have joined and forgotten about. These "throwaway" apps are often the most vulnerable because they aren't maintained by the developer with regular security patches.

If you have multiple Google accounts on one device (e.g., a personal and a work account), remember that you must audit the connected-apps list for each one separately. You can switch accounts in the Google settings menu by tapping your profile icon in the top right corner. In my testing across different OEMs, I found that users often forget the "Work Profile" apps. If your employer uses Google Workspace, they may have granted permissions to corporate apps on your behalf. While you might not be able to revoke all of these, knowing they exist is vital for understanding how your professional and personal data might be overlapping.

In the coming years, we expect Android 16 and beyond to automate more of this through "Permission Auto-Reset" for account access, similar to how Android 13+ already resets camera and microphone permissions for unused apps. Until that becomes a standard feature for account-level tokens, the responsibility remains with the user. Staying proactive about your app passwords android and revoking unnecessary OAuth tokens is the single best way to keep your primary Google account—which likely holds your photos, emails, and banking alerts—secure from third-party vulnerabilities.