Almost all "interesting" mobile applications don't exist in a vacuum. They rely on external systems for much of their data, and as such, frequently need a method for identifying and authenticating the application's user to the server. How this happens varies widely.
As part of my day job, I frequently review mobile applications on iOS and so have seen many ways for applications to authenticate to the server -- some good, some great, some OMG awful. In this talk, I'll review some of the common (and not-so-common) techniques I've observed both on apps I've seen at work and just what's running on my own iStuff. I'll talk about what's good and what's bad, and most importantly, why. And finally, I'll try to suggest some general advice that you can follow when designing your own mobile apps, or when reviewing them for your own organization.
David (@DarthNull) is a Senior Consultant with Intrepidus Group (now part of NCC Group), where he performs web and iOS application security testing, iOS research, MDM reverse engineering, and other such fun. He's honored to have spoken at multiple security conferences on topics from rainbow tables to iOS and MDM to puzzle contests. When not actively engaged in paying work, David loves solving crypto puzzles, working on side projects like KhanFu, and, when he remembers the app on his phone, looking for Geocaches. He can be found on Twitter as DarthNull, and is perpetually behind in his blogging at darthnull.org.