I'm making an app on android that allows the user, after having gotten the name and password, modify your profile through a web api rest.
i have established a system to return, once authenticated, a unique security token which will be used to authenticate the user to perform operations (update the profile).
I used an URL like this for the first time which the user have access (login):
webserver.com/?login&user=michael&password=7c4a8d09ca3762af61e59520943dc26494f8941b
Then, if the data are correct, the rest api return an unique token to the android app. The android app store this unique token for make, until the user doesn't close session, the updates of his profile.
I used for updates an URL like this:
webserver.com/?update&token=ee977806d7286510da8b9a7492ba58e2484c0ecc&newname=mathews
Then, when the user close the session (inside the android app), I remove the token from the web server throught another url...
Is this a good system? It's my token "safe"?
I store those url (without the value of parameters) in constants of my android app... It's safe? I can do otherwise?
No, this is not safe. Never stuff credentials in the URL as URLs tends to be logged in many different places, leaving the credentials exposed to third party. Use the HTTP body for that sort of thing.
Always use encrypted SSL/TLS to transfer credentials. Or use a crypto system like OAuth1 to avoid sending credentials in clear text. OAuth1 defines a scheme for proving ownership of credentials without actually sending them.
Use the HTTP Authorization header for tokens. Search for "http authorization bearer token".