Mobile-to-Server API Security

Question

I am tasked with designing a system that will allow our users to also sign in to their accounts and interact with our service using their mobile phones. I am concerned about the security of the application though.

Basically, we allow people to login via OAuth using Facebook or Twitter. The mobile application (built with Appcelerator titanium) should do that too. Upon a successful login on the phone, I need to notify my app that someone logged in with FB or Twitter so that my app can retrieve user's app-specific user id.

My first thought was to write an API that the phone could call out to which would accept parameters such as the Facebook or twitter userId. I would query my database and find their internal user id and return it to the phone.

This would work fine, but its completely insecure. Anyone could hit that same API with a Facebook user id and the API would just return the internal ID (and any other data needed by the app) without knowing if the request is authorized.

This is my first mobile app, so I am a little unsure of the correct way to implement security on my API.

Answer 1

1. If you can , use https, and lots of problems solved.
2. when successfully login, you can create a session and pass sessionid to client, here I advice you to send the sessionid with RSA way( for the case that someone can sniffer your sessionid)
3. use hash signature to make sure the request is not modified on the way, but this method can not prevent repost issue.

Finally, for your problem, if there is new progress, please let me know, thanks!