I passed by and, like, all right, except:
With the mobile app I send the login and password to the server api.
Never! You Hear That, Carl?! NEVER SEND the authorization data to the server WITHOUT PRE-HASHING on the client side, the server key.
1. The data on the client: hash(USER1:PASSWORD:SKEY:RANDOM),
2. Send to the server: ab1e37ab50c61d8c80fb5cb4b1e3122f:RANDOM
3. Looking for on the server match:
ab1e37ab50c61d8c80fb5cb4b1e3122f===hash(USER:PASSWORD:SKEY:RANDOM) and get uchetku user, if everything is correct.
And so, Yes! Thanks, all quite clearly and correctly written!