How do I secure my REST API?
I'd go with SSL/TLS everywhere (since you control both sides, forcing TLS 1.2 should be feasible). It's relatively simple to use, and you get a lot of security features for free. For example if you don't use SSL, you'll need to worry about replay attacks.
If you're worried about performance, make sure session resumption is supported by both the server and the client. This makes later handshakes much cheaper. Since the handshake is quite expensive in SSL compared to the encryption of the actual data, this reduces overall load considerably.
If you use HTTP 2, you can even send multiple requests over a single connection, that way you avoid the complete TCP and SSL handshake overhead on later requests.
I recommend using OAuth. You should definitely read up on it if you're not familiar with it. As a plus, you get to use 3rd party identity providers, so your users can use their Google / Windows Live / etc. accounts for your application, sparing the registration.
Even if you want to roll your own authentication framework, I don't recommend using non-expiring sessions. The session should expire after enough idle-time, else this gives more room to exploitation (session-hijacking e.g.).
Depends on just how secure it needs to be. Every time you make the solution more complex, you are also likely to leave a gaping hole. It's better to use some kind of industry standard authorisation and authentication module.
You will probably be fine, as long as you are:
- encrypting the password (with something like AES or Blowfish)
- salting the password
- sending the data over HTTPS
An alternative is OAuth.
If somebody wants to hack you badly enough, they will always find a way. The secret is increasing the time and effort required enough that it's not worth the while of somebody doing it. Hence, if you don't have huge amounts of customer and/or financial data, and you're not a high-profile company, a standard security implementation like the above should be fine.