"If app developers did everything according to the guidelines from Google that the device password is not stored."
Very be stored:
It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.
As I recall, the official app uses AccountManager.
That uses OAuth I doubt very much, because we don't ask about the permissions available to that application. In my opinion, to use a direct api with the authorization and issuance of the token.
But how to pull, see code.google.com/p/android/issues/detail?id=10809