Can the Gmail password be recovered from the Android Gmail app?
I have an Android device with the Gmail app installed. This app can access the mailbox so there must be some kind of authentication data stored on the device (possibly an application specific password?).
Is there a way to use the installed Gmail app to recover/reset the password for the associated Google account or set the security question/phone number associated with it?
More generally, does the Gmail app provide full control over the account, or does it allow only to receive and send emails through the account?
It has a token to his account which can't be used to recover/change the password, go to https://www.google.com/accounts/recovery
This question appears to be off-topic because it belongs to http://webapps.stackexchange.com/
@Adnan why does it? In my opinion alternative ways of password recovery is a security-related question. Also the question relates to mobile applications, authentication and password management - webapps may only come into the picture because Google also runs webapps but the question is not about those.
@Adnan As phrased originally, I agree. But I've edited the question to make it on-topic for Sec.SE — it's fundamentally the same question but now framed as security rather than app functionality.
Succinctly, for access to Gmail specifically, the App uses the password upon the first connection, to obtain a specific token value; think of it as a randomly generated sub-password. The token value is enough to read incoming emails, send emails, and alter the mailbox. It does not, however, give any power beyond these operations, so knowing the token value does not give you access to the actual password or to other Google sites (like Google+). The App stores the token value, not the user password.
So this answers your question: if someone steals or subverts your smartphone, he can obtain the token value which grants access to your emails, but he won't be able to recover or reset your password, or access any other service linked with your password. Of course, a few caveats apply:
Someone who controls your emails can then leverage that to attack all systems who use an email-based password-recovery system. A lot of sites implement a "forgotten password" feature in which a password-reset token (say, URL) is sent through email. Gaining access to your emails is kind of equivalent to stealing your Internet life altogether.
An attacker who could subvert your phone enough to read the private data storage of the Gmail App is most probably able to plant a key/screen logger and obtain your actual password the next time you type it.