Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
I did it using asp.net mvc 4.0/web api basic membership. you may find it helpful.
Yeah, Use SSL for sure
https://github.com/aamir-poswal/Mobile-Apps-Authentication-Authorization-ASP.NET-WEB-MVC-4.0
In VS 2013 you can use the "Asp MVC SPA Application" template to generate a working implementation that is generating a Oauth2 token bearer on login and authorizing it for WebApi controller calls using [Authorize] attributes. It uses Membership and Entity Framework to store users and hashes locally in a SQL Server. Just delete the asp mvc parts you don't need and keep the Auth part for WebApi. More details here: http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/
My suggestions
- Authentication and Authorization. Build it on 2 different servers(In some projects I have used 3 as well). Reverse proxy servers are really good with this. Authenticate on one server and authorize it on the other.
This is the most important step I think that is needed in mobile security that use Web APIs.
Encapsulate everything.
Use SSL for all secure information. In my case I use it for everything.
For your timestamp select a suitable time for which you can have authorization. Do not make this very short as your app will become slow or too long as network sniffers can access the packets.
If you want a 3 server architecture For your requests have an application key as well that you use to generate a access key (from Server 1). This access key will authenticate your requests which after successful authentication(from server 2) you can use that key to authorize your requests from another server(server 3)
The requests you have mentioned are standard norms. Don't really see a problem with that.