Best practice for authentication and authorization in an Android Application

Question

I'm moving over from web dev and into Android for a project I'm ever so inspired to build and was wondering what the best practice is to authenticate and authorize users in Android?

For example, say I have an Activity to log a user in. What is the best method to make sure that he/she can only access other Activity's designated for authorized users? And, would it be better or worse generally speaking to employ Google Plus or Facebook for such a task?

There doesn't seem to be much material online covering this topic... Thank you!

Answer 1

We usually use the approach of a token with an expiration date saved on the Sqlite DB of the app. In Android you can access just one activity at a time (let's say, one screen at a time) and you decide which one appears first (when the user opens up your app), so you can guide the user through your app (so you don't need to worry about the possibility of the user entering to a restricted area). If the user is in the Login Activity and then he presses a login button, then he will be redirected to an Activity B, exclusive for logged in users. If the login fails you can choose if he should retry the login or if the user will be redirected to an Error Activity C.

There's no easy way for a user to open the Activity C without passing for the A first. That's a big difference between the web and an app (in the former you have links and shortcuts, in the latter you provide options to guide the navigation).