I imagine they use a “token” based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.
The token should have an expiry so the server can re-request an authentication attempt.
If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
If you check the accounts under Settings on your device you’ll see what I mean.