Say I have an Android application that connects to a .Net API for receiving/setting data. The confusion that I have is regarding how to sign-up/login the user first time and authenticate it every time they make a request to the API.
- If I just use username/password based authentication they won't be safe enough?
- And I can't save that username/password in the device for of course security reasons?
- Should I issue a GUID for every user at the sign-up, save it in their device and retrieve every time during an API request?
What other patterns are available and which are most efficient and secure, I just need a process flow for it. Can someone tell me what method famous android applications like Facebook, FourSquare, or Twitter use to authenticate every request coming from their mobile application to their server?
Sorry in advance if that's not some public information.
I am newbie but I will try to give logical solution for the given question.
There will be two options, [1] For every URI, http authentication will be perform where user's entered credentials will be verified and user shall access resources.
[2] Another approach could be, a user shall authenticated and on every authentication a unique token will be generated. Using generated token, user shall access resources.
Though I'm not sure which approach could be best suitable for mobile application.
I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.
The token should have an expiry so the server can re-request an authentication attempt.
If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
If you check the accounts under Settings on your device you'll see what I mean.
Username and passwords can be safe when placed in SharedPreferences. Using https in connecting to a server should be good enough as well.
I was searching for exactly the same thing and found google way, something like peterpan said, but through Google APIs. Try this link and Google your way through it, I am starting also! I'll post new info while I`m at it!
http://developer.android.com/google/auth/http-auth.html
Basically these famous use OAuth protocol (1)/ framework (2). Even though it has to be a standard, each of these had different implementations of this protocol/framework. So we have to be very careful when it comes to integration.
Example: Dropbox still uses OAuth 1 and recently came up with OAuth 2 support.
Back to Answer, As, peterpan stated, its is a token based way of authentication is one time thing and out of the equation.These tokens are expired or that power is given to the developer in some cases.
The interesting thing behind this is that, resource access scope can be defined rather than allowing the client application to keep the user names, passwords which is dangerous.
This is the basic illustration of how this works.
I will update the answer after I get more details on this, since I am working in this area these days :)
Authentication example is a good place to start. Android stores credentials in the Account Manager, you can view accounts in Android's settings. This will automatically store tokens, prompt the user for credentials if expired or missing, refresh tokens etc. I find the http part of this example lacking or old. Extending android's AccountAuthenticatorActivity is a great helper to parse serialized data to the layout and back to the internet.