There are actually two ways to do this, each of which has some disadvantages.
1) Open the REST interface ( here you will find a simple JAVA client that uses them , and an iOS sample of how to use it on a mobile device)
The problem is that if someone downloads your application from the store and checks the network traffic in it (or just decomposes it), it will find your calls. With it, he could create an APP that will do the same thing as you and register passwords entered by users (for example, the “man in the center” attack )
2) Open the real website in the web view inside your APP
You will need to create a login page in the module or responsive on your CAS server so that it looks beautiful. Obviously, even here, someone could theoretically copy your APP and website to your CAS fake to look like your APP will grab the username and password and send it in the background to your CAS to give the user an impression that everything went right, but it is much more complicated. However, even here you will need to configure CAS; CAS is designed to accept the login for the service to which it will be redirected after a successful login. Therefore, in this case, you need to add a fake service to the CAS configuration and check if the web view will be redirected to it. when this happens, you will find the TGT in the CASTGC cookie.
In our first APPs, we used the REST version, but then, when we use our CAS for websites, we wanted to restrict REST access only to other servers on the site, so we came up with a second solution that seems to work better, but a common CAS doesn't seem ready for mobile APP
Hons
source share