[fattire]

     the excessively excited "omg how could you even be discussing this??" is a bit offputting

I wrote that sentence minus the omg part, but I don't think I meant what you think I meant-- The "how could you even be discussing this" wasn't dismissive-- I meant this is TOO important an issue to leave to discussion-- that action by Google (namely extending the API so the user could opt-out of auto-backup) was needed, and that until that happened, Connectbot should shut it off. Unfortunately, neither occurred.

      Isn't there APIs for safely storing passwords outside of config data?

There are means of storing data that avoid the auto-backup to Google Drive, but unless they happened to have been done already (such as saving to the /cache directory, which isn't auto-backed up) it would typically require additional work, such as manifest changes by the Developer to opt specific directories in/out of the auto-backup.

This is not just a Connectbot-specific thing. It's my understanding that ALL apps that target Marshmallow or Nougat (that is, the current and last version of Android, API 23 and 24) will automatically get this 25MB backup "service". The end user can't opt out per app either, only system-wide.

Incidentally, Connectbot does explicitly enable the backup agent.

https://github.com/connectbot/connectbot/blob/master/app/src... & 190/191

      "The automatic backup feature preserves the data your app creates on a user device by uploading it to the user’s Google Drive account and encrypting it."

For me at least, I don't want my private SSH keys and server info sent to Google, even if it's encrypted once/after it gets there. (and before someone says "use a good passphrase".. yeah, okay.)