In the next example (see Listing 3-5), I’ve added a check to see if the app on the phone or device has been used before, courtesy of its AndroidID. What I’m not suggesting here is that you use the AndroidID as a replacement for the user’s login and password; rather, think about using it to supplement the authentication process.
If an app caches the username and password so you don’t have to enter the password when you open the app, then it’s stored somewhere on the phone and your app is probably insecure.
The AndroidID is not a secure token; in our example you should be able to see that it is easy to spoof creating a fake shared preferences file to make the app think it’s on a different device.
I use the Android ID in our example; this ...