Does your question go in the direction of Android OS and file system or more in the direction of other apps or Google e.g. Play Services?
When setting up the first WebDAV connection, we’re generating a password and storing this password in the android keystore. Now we encrypt the password to your cloud connection using the password stored in the keystore and save this ciphertext together with other details of your cloud connection (username, URL) in our sqlite database inside the app specific storage.
Both is necessary so that you don’t have to enter the password to your cloud every time you connect (therefore stored encrypted in the database located in the file system), but the password used to decrypt the password to the cloud is also protected against unwanted access (therefore stored in the android keystore).
We’re also using some other mechanism to prevent other apps from doing screenshots (e.g. while entering your cloud credentials) or preventing other apps from obscuring Cryptomator.