Securing web-API access

Question

I have a simple web-API accessible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to

Answer 1

How to authenticate a web request?

Basic HTTP authentication is obviously not sufficient if there's any risk of the traffic being sniffed unless its sent over HTTPS (which would be secure).

There are lots of other approaches - challenge based mechanisms (e.g. digest authentication), client certificates and SSL.

Its really a question of which solution poses the least pain - SSL certificates cost money unless you set up your certification authority (as long as you're not expecting the world to accept your certificates then its fairly simple to do), Write code to implement a challenge / hash based on a shared secret.

Or simply restrict URL access (via .htaccess) to a fixed set of ip addresses (optionally validated using IPSEC).