Securing Mobile app access to a WebService (home-grown approache)

Question

I have an HTTPS WebService that need to be accessed from a Mobile (iPhone) application. both are developed by our-side.

We need to secure the Mobile access to this Service. So we used a username/password credentials.

We are aware of OAuth, but we need a more simple authentication scheme.

What We think of is the following:

1. The Mobile App shows a Login-form to the User/Resource Owner.

2. The Resource Owner enter The login credentials on behave of the Mobile App.

3. The Mobile app connect to the Server at special WS Method (e.g. "ValidateLogin") that takes username/password -probably hashed- as input and returns the HTTP Session Id.

4. The Mobile app persists this HTTP Session Id -which is a unique key from server side, and may be secure?- to communicate with the Server for subsequent requests (Invoking business methods).

5. If the Client doesn't communicate with the Server for say 30 Min, the Server will send 403/Session_time_out (The Mobile may remove the persisted HTTP Session Id to indicate to himself that he no longer has access to the Server resources - and It may opt to do so in case if it needs to end the communication with the Server)

6. In this case, the Mobile will need to use the Resource Owner again to obtain a new session id from the Server and gain access to the Server resources.

---

The Questions are:

• Does the above steps are good enough to depend on?
• What do you think from security perspective?
• Do you have any other thoughts/opinions?

EDIT: It is a HTTPS WebService

Answer 1

The question is very open in nature, and I believe that it is difficult to answer those general questions with your specific needs in mind.

To answer some concrete questions: How to secure your app against unauthorized clients? Look at SSL and Client side certificates.

How to manage user credentials securely? Look at using the Keychain API in iOS.