Thank you Hector, this looks great!
I do see one missing point that should be covered, and that is proper flow of oAuth authentication. The INTENDED flow is that the third-party site where authentication is made should be opened in the trusted, system browser. (e.g. NOT within the WebView within the app itself.)
This way, users are assured that it is simply not possible for the app to capture the user's authentication information (e.g. user ID, password).
After authentication, the user is directed back to the app with a token. Every mobile platform today supports this redirection, as does Rhodes.
I see this often mis-used in apps, where the authentication is done within the app itself, and this completely misses the point of oAuth.
The risks include unfavorable user backlash (from savvy users), violation of third-party terms of service and subsequent denial of service, violation of App Store policy resulting in rejection/ejection of the app or banning of the developer, HIPAA or other applicable standard violation, lawsuits, criminal prosecution, etc. etc. etc.
Separately, do we have an example showing proper oAuth flow? It not, it would be very handy to have.