As a newbie, I'm swamped with the amount of differing opinion on handling solutions with large numbers of user accounts, and the security of those solutions. This issue has become even worse with the release of WebDirect, because whilst that's developing into a really useful tool for me, I have not yet found a pretty way of handling user accounts.
I've spent the last three days testing a solution based on an external (iOS in this case) file which is authorised by a hosted file. The idea uses an open login to the iOS file and a "re-login" on the hosted file, and by golly I think I can make it work. But then I read opinions stating that I've reduced the security of my solution by taking the locks off the car door and relying on the ignition key.
I have a hosted file and an iOS app (and am developing a WebDirect app) which accesses the files on the host. Obviously I am avoiding both sync problems (I must for this client) and having to update the iOS device every time a user or permission changes on the host.
Is there a resource somewhere which explains in simple terms the best practice for security in this situation? Google can't seem to find one for me.
Or, more correctly, I can't find a resource, so can someone point me at the best one?