I have an iOS application that authenticates to a Rails application. The first time it authenticates, it needs to submit a username and password and in return the rails application returns a token which the iOS application can use to authenticate in further communications.
The information being passed between them consists of the user's email address and other trivial information, but nothing highly sensitive like financial details etc. I need a way to protect these communications.
What is the simplest way I can add this protection?
HTTPS is a straight forward way to secure communication as is passes over the wire. To reuse and token for subsequent communication can be done with oAuth. You may want to take the approach that Facebook adopted in their iOS SDK. They put up their login page in a UIWebView (HTTPS) and return the oAuth token for subsequent calls.
EDIT: Since SSL seems to be "off the table" - why don't you just authenticate with Basic Authentication and have each call re-authenticate instead of using a token.