Organizing a secure channel between a Web app and a Native app

Question

This question is kinda complimentary to \"Share credentials between native app and web site\", as we aim to share secrets in the opposite direction.

TL;TR:

Answer 1

You could try driving the synchronization the other way:

1. Once the user is authenticated into the web app, launch the native app from the web app via the custom URL scheme.
2. If the native app is not authenticated, connect securely to the backend over HTTPS, create a record for the native app, retrieve a one time token associated with that record and then launch the web app in the user's browser with the token as a URL parameter.
3. Since the user is authenticated in the browser, when the server sees the token it can bind the native app's record with the user account.
4. Have the native app poll (or use some other realtime channel like push notifications or a TCP connection) the server to see if the token has been bound to a user account: once that happens you can pass a persistent auth token that the native app can store.