7. Don't allow modified requests.
Rather than repeating a request, an attacker may choose to modify it. For example, the attacker may transfer money to a different account altogether. This can be prevented by using a shared secret or a cryptographic keypair. Creating an HMAC of the request and sending it to the server with the request allows the server to confirm that the request has not been modified.
In order to build robust mobile applications, developers must check each measure off this list. Any single one left unaddressed leaves an application open for attack or abuse. However, it is easy to see how they all work together: By distrusting the client (no. 1) or assuming that an attacker is eavesdropping on communications (no. 2), the developer will want to limit the amount of time an attacker has to attack the application (no. 3). A secret key (no. 4) can be used to sign the content (no. 7), including the time stamp (no. 5) and the NONCE (no. 6) to ensure that none of those three data points are modified.
Sign up for CIO Asia eNewsletters.