I'm starting a new project soon, which is targeting mobile application for all major mobile platforms (iOS, Android, Windows). It will be a client-server architecture.

The app is both informational and transactional. For the transactional part, they're required to have an account and log in before a transaction can be made. I'm new to mobile development, so I don't know how the authentication part is done on these platforms. The clients will communicate with the server through a REST API. Will be using HTTPS ofcourse.

I haven't yet decided if I want the user to log in when they open the app, or only when they perform a transaction.

I got the following questions:

1) Like the Facebook application, you only enter your credentials when you open the application for the first time. After that, you're automatically signed in every time you open the app. How does one accomplish this? Just simply by encrypting and storing the credentials on the device and sending them every time the app starts?

2) Do I need to authenticate the user for each (transactional) request made to the REST API or use a token based approach?

Please feel free to suggest other ways for authentication.

Thanks!