说我有一个Android应用程序，连接到.NET API接收/设定数据。我有是关于如何立即登记混乱/登录用户第一次都被他发出请求的API时间验证吧。

Say I have an Android app that connects to a .Net api for receiving/setting data. The confusion that I have is regarding how to signup/login the user first time and authenticate it every time he makes a request to the api.

如果我只是使用基于用户名/口令认证，不会是安全的 够了吗？ ，我不能保存的用户名/密码的装置 为当然安全方面的原因？ 如果我发出了一个GUID对于在注册的每个用户，将其保存在他们的设备和API请求中检索每一次？ If I just use username/password based authentication the wont be safe enough? And I cant save that username/password in the device for of course security reasons? Should I issue a GUID for every user at the signup, save it in their device and retrieve every time during an api request?

还有什么其他的模式可用，这是最有效，最安全的，我只需要为它的处理流程。 谁能告诉我是什么方法，著名的Andr​​oid应用程序喜欢的Facebook ，四方，微博用来验证每一个请求，从他们的移动应用来他们的服务器？

What other patterns are available and which are most efficient and secure, I just need a process flow for it. Can someone tell me what method famous android apps likes Facebook, foursquare, twitter uses to authenticate every request coming from their mobile app to their server?

对不起提前如果这不是一些公开信息。

Sorry in advance if that's not some public information.

推荐答案

我想他们用一个象征性为基础的安全系统，因此密码实际上是永远不会存储在任何位置，只用在第一时间进行身份验证。因此，应用程序最初张贴的用户名/密码（通过SSL）和服务器返回一个标记的应用程序商店。对于后续的同步尝试令牌被首先发送，服务器检查它是有效的，然后使其他的数据被张贴

I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.

该令牌应该有一个失效使服务器可以重新申请认证的尝试。

The token should have an expiry so the server can re-request an authentication attempt.

如果你从Android框架，这将使您能够同步和引擎盖下验证所有的能力范围内挂接到同步适配器。

If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.

http://developer.android.com/training/sync-adapters/creating-sync-adapter.html

如果您检查下您的设备上设置的帐户，你就会明白我的意思了。

If you check the accounts under Settings on your device you'll see what I mean.