How do popular apps authenticate user requests from their mobile app to their server?

Maven picture Maven · Nov 5, 2013 · Viewed 74.4k times · Source

Say I have an Android application that connects to a .Net API for receiving/setting data. The confusion that I have is regarding how to sign-up/login the user first time and authenticate it every time they make a request to the API.

  • If I just use username/password based authentication they won't be safe enough?
  • And I can't save that username/password in the device for of course security reasons?
  • Should I issue a GUID for every user at the sign-up, save it in their device and retrieve every time during an API request?

What other patterns are available and which are most efficient and secure, I just need a process flow for it. Can someone tell me what method famous android applications like Facebook, FourSquare, or Twitter use to authenticate every request coming from their mobile application to their server?

Sorry in advance if that's not some public information.

Answer

simon picture simon · Nov 5, 2013

I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.

The token should have an expiry so the server can re-request an authentication attempt.

If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.

http://developer.android.com/training/sync-adapters/creating-sync-adapter.html

If you check the accounts under Settings on your device you'll see what I mean.