Code cleanup / add some todos/comments

src/main/AndroidManifest.xml

@@ -71,6 +71,15 @@
 
     <permission-group android:name="com.owncloud.android"
         android:label="@string/permission_group" />
+
+    <!--
+        TODO review protection level again..
+        see: https://developer.android.com/guide/topics/manifest/permission-element
+
+        I think we can't use the signature based one since our apps will be signed with different keys
+        Therefore if you want to test the security features, you'll have to sign this app with a different key than the client app (e.g. nextcloud news app)
+    -->
+
     <permission
         android:name="com.owncloud.android.sso"
         android:permissionGroup="com.owncloud.android"
@@ -79,10 +88,6 @@
         android:description="@string/permission_desc">
     </permission>
 
-    <!--
-    <uses-permission android:name="com.owncloud.android.sso" />
-    -->
-
 
 
 

src/main/java/com/owncloud/android/authentication/AccountAuthenticator.java

@@ -170,8 +170,15 @@ public class AccountAuthenticator extends AbstractAccountAuthenticator {
             result.putString(AccountManager.KEY_ACCOUNT_TYPE,  MainApp.getAccountType());
             result.putString(AccountManager.KEY_AUTHTOKEN,     NEXTCLOUD_SSO);
             result.putString("username",                       username);
+
+            // TODO consider returning here some kind of "token" instead of the "real" password
+            // those tokens have to stored in this (nextcloud) app to verify if a client is allowed to
+            // make a request (see AccountManagerService.java#L117 -> request.token)
             result.putString("password",                       am.getPassword(account));
+
+            // TODO return the correct url protocol here (http vs https)
             result.putString("server_url",                     "https://" + server);
+
             result.putBoolean("disable_hostname_verification", false);
 
             return result;

src/main/java/de/luhmer/owncloud/accountimporter/helper/InputStreamBinder.java

@@ -112,22 +112,17 @@ public class InputStreamBinder extends IInputStreamService.Stub {
         OwnCloudClient client = OwnCloudClientManagerFactory.getDefaultSingleton().getClientFor(ocAccount, context);
 
 
+        // Validate Auth-Token
         if(!client.getCredentials().getAuthToken().equals(request.token)) {
             throw new IllegalStateException("Provided authentication token does not match!");
         }
 
-        //OwnCloudVersion version = AccountUtils.getServerVersion(account);
-        //client.setOwnCloudVersion(version);
-
+        // Validate URL
         if(!request.url.startsWith("/")) {
             throw new IllegalStateException("URL need to start with a /");
         }
 
-        // TODO do some checks if url is correct!! (prevent ../ in url etc..
         request.url = client.getBaseUri() + request.url;
-
-        //AccountManagerService.INetworkInterface network = (stream) ? new AccountManagerService.StreamingRequest(port) : new AccountManagerService.PlainRequest();
-
         HttpMethodBase method;
 
         switch (request.method) {