I'm helping build an Android application that is in synchronization with a Ruby on Rails application. We are working with Android 2.2 and Rails 3.x and Apache on Ubuntu.
This is something that is very new to me. You can register and login from the Android device. In both of these cases a username and password are sent to the server. In other cases where there is synchronization with the Rails application and Android, when a user is logged in, an authentication token is tagged to the end of the URLs. The creation and authentication of these tokens is handled with Devise.
My question is this:
What would be the best way to secure the passing of usernames, passwords, and tokens back and forth between Rails an the Android device?
What about using encrypted communication, for example SSL (HTTPS)? It is fairly easy to configure Apache for HTTPS communication and it is also natively supported on Android devices.