Authenticate a mobile app on the server side

Question

i am writing an iphone app that would need to communicate with our servers. on the server side, im am writing an api in php that the app would talk to. What is the best way to authenticate the apps and basically restrict access to the apps and shut everyone else out?

I need a way of recognizing that an incoming request to the api is a legitimate request from our api.

What other security concerns should i keep in mind and calculate for?

any design suggestions?

i am currently looking into what oauth can do for me here!

Answer 1

I think you don't need oauth because it will only help you when you need authentication involving three parties. Example: your application authenticating a Fecebook user (three parties here: you, Facebook user and Facebook).

I would make sure you use this:

1. HTTPS (never send password or sensitive data over plain HTTP)
2. A login.php script that will authenticate your user, and upon valid authentication will generate an access_token for your mobile user.
3. Each restricted service you provide with PHP will ask for a valid access_token as a parameter to execute.
4. Make sure your access_token expires after certain time or conditions you might impose.

Answer 2

Look at the big companies? Google uses an API key for all their public APIs so they can track behavior and block if they expect abuse.

Since your API is probably not public you might need more security but then you'd probably need to encrypt all communication :<