Howdy!
The first section is indeed still accurate.
The Application specific password is not, you will need to take the user’s actual password and send it along with the initial request. Do not store that, instead just store the token you get back… it also comes with a re-auth token that you can use on expiry of the main token or if you need to regenerate a token.
Other than that you are fine. Do keep us posted on things while building the app and let us know if we can be of any help.