I would like to build a little mobile App (Android and iOS) and a little backend server with a REST Api.
My app users (android or iOS) needs to login on facebook. I do that by using facebooks mobile sdk. When the login has been successful, facebook sdk will return a authentificationToken, that is now on the users smartphone.
The idea is as follows:
Whenever my app needs some data, the app will conntact to my server backend (REST) over HTTPS. For example: The app makes a simple HTTP GET and passes the retrieved Facebook authenticationToken. My Server gets this facebook authenticationToken and use this token to determine, if the user is a authenticated and to retrieve facebook profile information (firstname, lastname etc.). So the server contacts facebook too and generate the personalized response for the HTTP GET Request.
My questions are:
- Is it really enough to pass this facebookAuthentication token for each REST API call, to make the server retrieve the correct associated facebook user?
- I use HTTPS, so I guess, the connection is encrypted enough, right?
- I guess I need some signature mechanism so sign each REST API call (over HTTPS) to ensure that the facebookAuthentication token has been sent only from my mobile App. I would do that by using RSA with SHA-1 to sign any REST API call. But the problem with this approach is: that the client need to stores the private key somewhere in the App (for signing requests) and the server knows the public key (for signature matching). Is this correct? If yes, I guess its a big security issue, since a mobile app (especially android) could be decompiled to get the private key. How do I store this private key securely in my app? Is there another system for signing that you can recommend?
Bt: Do you know a good RSA lib for iOS and Android?