iOS -> .NET WebService authentication question

I'm building an iOS app which will communicate with a set of .NET WebServices. I'm trying to find a way to ensure on the WS side that the calls being sent actually came from the iOS app.

There is, of course, a "login" method which requires a username/password combination. I would like to add a "security token" to this method, which I can use to validate that the request is coming from the iOS app.

Since this is a parameter to the login method, is must be something known by the app and the web service BEFORE a valid login occurs. Additionally, it should be something which is impossible (difficult?) for another application to fake.

Are their any best practices / standard methods for th开发者_开发问答is sort of exchange? Am I even thinking about the problem in the correct way?

Thanks in advance!

Take a look at the oAuth specification (used by Twitter) it requires that a user is verified first, during the process a series of tokens are exchanged, and then the token is used to sign the data during subsequent data exchanges.

It works on the principals of public/private matched keys, so you have one key that is always kept a secret.