I'm making an app on android that allows the user, after having gotten the name and password, modify your profile through a web api rest.
i have established a system to return, once authenticated, a unique security token which will be used to authenticate the user to perform operations (update the profile).
I used an URL like this for the first time which the user have access (login):
webserver.com/?login&user=michael&password=7c4a8d09ca3762af61e59520943dc26494f8941b
Then, if the data are correct, the rest api return an unique token to the android app. The android app store this unique token for make, until the user doesn't close session, the updates of his profile.
I used for updates an URL like this:
webserver.com/?update&token=ee977806d7286510da8b9a7492ba58e2484c0ecc&newname=mathews
Then, when the user close the session (inside the android app), I remove the token from the web server throught another url...
Is this a good system? It's my token "safe"?
I store those url (without the value of parameters) in constants of my android app... It's safe? I can do otherwise?
