How to secure a REST API for mobile applications?

Question

I am trying to add a REST interface to Django for a mobile client. The mobile client will use JSON over HTTPS. I have not been able to find the "best" way to accomplish this for mobile devices. From searching around, it seems that #2 is more favorable to #1:

1. Use HTTP authentication and establish a cookie based session. All transactions will occur over HTTP and JSON messages will only contain commands or data.
2. Pass the username and password (encrypted) within each JSON msg for all transactions and do not rely on cookie-based sessions.

Answer 1

I would recommend sending the username / password first with a login call. The JSON will pass back an authToken or accessToken which the mobile device will send back for all subsequent calls. You will then check to make sure the authToken is valid. This is the approach many API's take. In their database they will bind the API key to the users account that they logged in with.

Answer 2

OAuth is overkill unless you want to make these services available to other developers (which they would access on behalf of your end users). Better to go with option 2, but I would recommend using Digest Authentication as opposed to Password Authentication. Combine that with SSL and you are definitely good to go.

Answer 3

Number 2 is preferable, and rather than roll your own, I would recommend using OAuth authentication if possible. Both client and server libraries are readily available for use on most platforms now. Check http://oauth.net for details.

Answer 4

So long as you're using actual encryption and not base64 or some homegrown obfuscation algorithm, #2 is fine and dandy. You might also want to consider the route many companies take, which is binding an API key to a username.