I'm trying to write application for Android to access Google Tasks. I decided to use ClientLogin authorization method.

I'm getting ClientLogin "Auth" marker from first POST request. Then i try to retrieve a user's task lists with GET request. I wrote the following code for this:

String requestString = "https://www.googleapis.com/tasks/v1/users/@me/lists";
String resultString = "";
     try {
       URLConnection connection1 = null;
       URL url = new URL(requestString);
       connection1 = url.openConnection( );
       HttpURLConnection httpsConnection1 = (HttpURLConnection)connection1;
       httpsConnection1.setRequestMethod("GET");
       httpsConnection1.setRequestProperty("Authorization", "GoogleLogin auth="+authkeyString);
       httpsConnection1.setDoInput(true);
       httpsConnection1.connect();  
       int responseCode = httpsConnection1.getResponseCode();
       System.out.println(responseCode);
       if (responseCode == HttpsURLConnection.HTTP_OK) {
         InputStream in = httpsConnection1.getInputStream();
         InputStreamReader isr = new InputStreamReader(in, "UTF-8");
         StringBuffer data = new StringBuffer();
         int c;
         while ((c = isr.read()) != -1){
           data.append((char) c);
         }
         resultString = new String (data.toString());
       }
       else{
            resultString = "Errror - connection problem";
           }  
       }
       httpsConnection1.disconnect();
      }
      catch (MalformedURLException e) { 
                 resultString = "MalformedURLException1:" + e.getMessage();
        }
      catch (IOException e) { 
                resultString = "IOException1:" + e.getMessage();
       }

Here is "authkeyString" - string variable with authorization marker.

When i run application under real Android device i receive: "IOException:SSL handshake failure: Failure is ssl library, usually a protocol error ..... "

Also i tried to run this code from simple java application from desktop:

Exception in thread "main" java.lang.IllegalArgumentException: Illegal character(s) in message header value: GoogleLogin auth=DQ ..... UT

at sun.net.www.protocol.http.HttpURLConnection.checkMessageHeader(HttpURLConnection.java:428)
at sun.net.www.protocol.http.HttpURLConnection.isExternalMessageHeaderAllowed(HttpURLConnection.java:394)
at sun.net.www.protocol.http.HttpURLConnection.setRequestProperty(HttpURLConnection.java:2378)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.setRequestProperty(HttpsURLConnectionImpl.java:296)
at Tasks.main(Tasks.java:81)

ClientLogin with username / password

If you want to use ClientLogin with the Google APIs Client Library for Java , you'll need to setup a HttpRequestFactory that supports authentication.

private static HttpTransport transport = new ApacheHttpTransport();

 public static HttpRequestFactory createRequestFactory(
   final HttpTransport transport) {

  return transport.createRequestFactory(new HttpRequestInitializer() {
   public void initialize(HttpRequest request) {
    GoogleHeaders headers = new GoogleHeaders();
    headers.setApplicationName("MyApp/1.0");
    request.headers=headers;
    try {
     authorizeTransport(request);
    } catch (Exception e) {
     e.printStackTrace();
    }
   }
});

Notice the authorizeTransport method, that will basically authorize the request. The authorizeTransport looks like this:

private void authorizeTransport(HttpRequest request) throws HttpResponseException, IOException {
    // authenticate with ClientLogin
    ClientLogin authenticator = new ClientLogin();
    authenticator.authTokenType = Constants.AUTH_TOKEN_TYPE;
    authenticator.username = Constants.USERNAME;
    authenticator.password = Constants.PASSWORD;
    authenticator.transport = transport;
    try {
     Response response = authenticator.authenticate();
     request.headers.authorization=response.getAuthorizationHeaderValue();
    } catch (HttpResponseException e) {
     e.printStackTrace();
    } catch (IOException e) {
     e.printStackTrace();
    }  
   }

You basically setup a ClientLogin authentication method by providing a username/passsword. The authenticate method will authenticate based on the provided values and returns a response object that can be added to the HTTP header to provide ClientLogin authentication.

Android AccountManager

In order to integrate with the Android AccountManager (avoiding the android user to type in his username / password) , you can find some sample code here http://code.google.com/p/google-api-java-client/wiki/AndroidAccountManager

The fact that the user doesn't need to key in his username/passwords adds to the users comfort level, but the solution remains relatively insecure.

I would strongly suggest doing the following :

Use a client library

I would suggest moving to Google APIs Client Library for Java for this type of interaction. It's Android compatible java client library for all kinds of Google APIs.

You don't want to be bothered with implementing low level HTTP, security and JSON plumbing.

The Google Task API Developers guide also mentions the same library. The library will take care of the authentication for you. If you want to use ClientLogin, all you'll have to do is specify a username/password, or integrate with the Android AccountManager.

Avoid using ClientLogin

ClientLogin is considered insecure, and a number of security holes have been found regarding this authentication mechanism. Google also doesn't recommend it. However, should you decide to continue using ClientLogin, the Google APIs Client Library for Java does support it.