Is the OAuth timestamp problematic on mobile?

I've got a REST API that uses OAuth for authentication. This API wi开发者_开发问答ll primarily be used for mobile applications.

One of the developers working on a mobile app (he seems to be unfamiliar with OAuth) asked about the timestamp restriction. He was concerned that if the user's clock is off, the app will not work, because if it's off by more than 5 minutes (the current restriction my app uses), the request will be assumed to be a replay attack, and be rejected.

I'm wondering, have you (either as app developer or API developer) run into this problem in the wild? How have you worked around it? What is a reasonable restriction on the timestamp synchronization?

I just had this exact same question and after doing a double take on the documentation I think that I have entirely screwed up the implementation of the timestamp by thinking in the same way you were, check it out:

http://oauth.net/core/1.0/#nonce

Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests.