I\'m designing a web site that will have a mobile companion (initally iPhone only). The web site will be an ASP.Net MVC 3 application. I\'ll also have an ASP.Net Web API site (M
My suggestions
This is the most important step I think that is needed in mobile security that use Web APIs.
Encapsulate everything.
Use SSL for all secure information. In my case I use it for everything.
For your timestamp select a suitable time for which you can have authorization. Do not make this very short as your app will become slow or too long as network sniffers can access the packets.
If you want a 3 server architecture For your requests have an application key as well that you use to generate a access key (from Server 1). This access key will authenticate your requests which after successful authentication(from server 2) you can use that key to authorize your requests from another server(server 3)
The requests you have mentioned are standard norms. Don't really see a problem with that.
In VS 2013 you can use the "Asp MVC SPA Application" template to generate a working implementation that is generating a Oauth2 token bearer on login and authorizing it for WebApi controller calls using [Authorize] attributes. It uses Membership and Entity Framework to store users and hashes locally in a SQL Server. Just delete the asp mvc parts you don't need and keep the Auth part for WebApi. More details here: http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/
I did it using asp.net mvc 4.0/web api basic membership. you may find it helpful.
Yeah, Use SSL for sure
https://github.com/aamir-poswal/Mobile-Apps-Authentication-Authorization-ASP.NET-WEB-MVC-4.0