During my CTA board in November, I was asked how does a mobile device stays connected to Salesforce. I was not able to answer the question.
Here is the answer: OAuth Paring. When a device initial logs-in, the device is uniquely identified and paired with the mobile user’s account using OAuth 2.0 protocol.
From the documentation:
After initial login, there is no exchange of a password in the communication between the mobile client and the Salesforce server. For this reason, the Salesforce password is not stored on the device and is not required even when the password is changed or has expired.
A user obtains an access token and refresh token after successfully completing the OAuth User-Agent authentication. A user can use the refresh token to get a new access token (session ID). Upon logout, the OAuth access and refresh tokens are revoked, and the user set passcode is wiped (if passcode is enabled by org admin). The user is re-prompted to enter the username/password and reset the passcode.