0

This is a followup to my previous question about how to secure API calls from a mobile app to a Play app hosted on Heroku.

It was originally suggested that I implement OAuth, but it seemed more complicated then I needed and I considered just sending the password plaintext over HTTPS with each call and storing it on the device.

  1. Would it be possible to just make up a long random string that I store in the app and require that on the API end as well? It seems this would prevent others from using the API, which is good.
  2. If so, would it be secure to just send that token over HTTPS along with the username and password of the user?
Community
  • 1
  • 1
eliot
  • 1,319
  • 1
  • 14
  • 33

1 Answers1

0

While writing this, I came across this answer and it looks like an acceptable solution:

  • Use HTTPS for every call
  • After the first call, send back an authToken that is sent with each subsequent call
  • Expire the token every so often on the device and server
Community
  • 1
  • 1
eliot
  • 1,319
  • 1
  • 14
  • 33