Accessing .NET Services from Mobile Clients

I have some HIGHLY sensitive data that I need to expose to Android and iPhone clients. My backend is completely in .NET. I'm trying to figure out the best approach to providing this sensitive data to the iPhone and Android platforms.

I'm getting lost in all of the opinions circling around the internet. Some say use SOAP because it is an established industry standard. Plus, it supports a开发者_StackOverflow中文版uthentication. On the other hand, others say avoid SOAP at all costs and use REST. But, I'm not sure how to use REST in a way that a) requires authentication b) is accessible to both Android and iPhone. WCF seems like the best approach for REST. But I have no clue to securely exchange data with the Android and iPhone client applications.

Can someone point me to some documentation and/or share thoughts on how to best do this? I understand the general concepts. It's just there are SOOOO many acronyms and technologies that I'm not sure which is an intelligent approach. My main concerns are 1) protecting my data 2) exposing to iPhone and Android client applications that I'm writing.

Thank you for your help!

REST is pretty simple to use from any client that you can access libraries that do http GET/POST. - The basis of REST is simply standard http stuff you're probably already familiar with if you use a browser. The android REST calls look pretty easy, and there are iphone libraries that make it easy (like the open-source all-seeing-eye http request library). It looks like both can support SSL + multiple forms of auth (basic is probably okay if you're only using SSL), which should satisfy your authentication and transmission security concerns.

As far as SOAP, it is a standard, but getting two different stacks to communicate can sometimes be a huge headache, and the concepts can be daunting to learn. SOAP can address the authentication and encryption in the message, but the SOAP libraries I've used make this difficult at best unless you're using exactly the setup in the examples. In many cases, I've ended up using SSL + web server auth again anyway.