How to create a secure API for mobile apps

Question

We are building an iPhone app and need to create our own REST API to handle logins etc. The backend is in Java and we need a way to login users to the iPhone application and allow them to make requests to the API as that user. Because there are no sessions in mobile what would be the best way to implement this?

Answer 1

I used HMAC to make sure security and integrity could be guaranteed while communicating between the mobile device and the API. To handle logins we use an access token that expires after a set period

Answer 2

You can use RESTEasy for the java backend. If you're on a https server you can simply use Basic Auth. if SSL is not an option you have to use an HMAC implementation. Here's an example in php+js