Say I have an Android application that connects to a .Net API for receiving/setting data. The confusion that I have is regarding how to sign-up/login the user first time and authenticate it every time they make a request to the API.
What other patterns are available and which are most efficient and secure, I just need a process flow for it. Can someone tell me what method famous android applications like Facebook, FourSquare, or Twitter use to authenticate every request coming from their mobile application to their server?
Sorry in advance if that's not some public information.
I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.
The token should have an expiry so the server can re-request an authentication attempt.
If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
If you check the accounts under Settings on your device you'll see what I mean.