I'm looking for a few suggestions on how to provide access to the RESTful API, which will initially be used by the iPhone application, but will have other clients in the future. The data represented by this API must be kept secure, as it may contain health information. All access will be via HTTPS.
I thought I would like to require pre-registration of iphones during setup, and then also some type of PIN / password for each request. Thus, simply knowing the password without first registering the phone / client will not provide access. I was thinking of somehow binding it to the iPhone ID, if possible, but not sure if this would provide additional security. The iPhone ID is another piece of information, and it may not even be a secret.
So, some requirements would be as follows:
- Use some type of pin-based solution on the iPhone, but want more security than a simple 4-6 digit pin can provide.
- Passwords cannot be sent in the mailbox.
- Not subject to retaliatory attacks
- During the preliminary data exchange between the client and the server, when setting up the client, everything is in order.