I have a Web Service written in .NET that provides data for an iPhone application. It will also allow the application make a "reservation."

Currently it's all internal to the corporate network but obviously when the iPhone application is published I will need ensure the Web Service is available externally.

How would I go about securing the Web Service?

There are two aspects I'm looking into:

• Authentication for accessing the web service
• Protection for the data being transferred

I'm no so bothered about the data being passed back and forth as it will be viewable in the application anyway (which will be free). The key issue for me is preventing users from accessing the Web Service and making reservations themselves.

At the moment I am considering encrypting any strings in the XML data passed back and forth so only the client can effectively use the web service sidestepping the need for authentication and providing protection for the data. This is the only model I have seen but I think the overheads on the iPhone and even for the web service make for a poor user experience.

https is the simple answer, but you should not only provide the server with its own certificate, but give one to each mobile device. This allows for mutual authentication.

If you can't do this, you can employ AES to sign the messages from the iphone to the server, using a shared secret known only to the server and the iphone, but never transmitted in plain:

signature = AES(data + iphone udid + shared secret) (or something to that effect)

You should choice a way to distribute the secret that allows you to verify the other part.

Just use https to make your web service calls. You can then employ whatever authentication you want and maybe receive back a token which will be passed to subsequent web service calls. Your authentication details and your data will then be secured. There will be some overhead but it shouldn't be huge.

I would prefer both Encrypting(Base64/AES) + HTTPS. oData,oAuth Authentication can also be used.