Given that this security stuff if somewhat complicated and the penalty for getting it wrong is that either the security does not work or, one may lose access entirely I would like to suggest that some level of security is implemented on OSPi right on the SDCard image at some future release.
It would be even nicer if the security could be switched OFF at installation and a simple shell script be included that could be invoked by typing a single command such as “security on” (or security off).
All that is really needed is to have the Pi request Username and Password at each login. I know that both apache and nginx can both do this and can both remember the password on each machine accessing.
How this would work with the mobile app I am not sure.
Anyway that’s my suggestion.