我想他们用一个象征性为基础的安全系统，因此密码实际上是永远不会存储在任何位置，只用在第一时间进行身份验证。因此，应用程序最初张贴的用户名/密码（通过SSL）和服务器返回一个标记的应用程序商店。对于后续的同步尝试令牌被首先发送，服务器检查它是有效的，然后使其他的数据被张贴

I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.

该令牌应该有一个失效使服务器可以重新申请认证的尝试。

The token should have an expiry so the server can re-request an authentication attempt.

如果你从Android框架，这将使您能够同步和引擎盖下验证所有的能力范围内挂接到同步适配器。

If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.

http://developer.android.com/training/sync-adapters/creating-sync-adapter.html

如果您检查下您的设备上设置的帐户，你就会明白我的意思了。

If you check the accounts under Settings on your device you'll see what I mean.