One area where Android clearly outdoes iOS is in this very regard: http://developer.android.com/reference/android/accounts/AccountManager.html Apps, such as Twitter, Dropbox, Endomondo, Microsoft Exchange and formerly Facebook, can register account types and authenticator modules with the operating system. The OS can then provide a standardized interface to the user when an app requests account access. The user provides their password once, and any app that needs access gets it from the OS, rather than the website. This is a simple and elegant solution that protects the user. Unfortunately, due to the popularity of iOS, most Android developers aren't aware of these options, or for some reason simply choose not to use them. If iOS could get on board with a similar approach, we could really make some progress in terms of mobile security. One flaw of this approach is that it requires the app for the service to be installed, but I think this is an acceptable sacrifice, the question is how to implement a graceful fallback.