IP based often works well for business to business communication. This is because businesses usually have static IP addresses. You still have to address how to do you handle IP spoofing.
In your case, this approach could cause a issues, especially from a mobile device. Reason being is how do you guarantee the IP address doesn't change? For your typical consumer or SMB using a cable modem or DSL, this doesn't happen as often, but it can. In the mobile world, the IP address can literally change from minute to minute if they are using cellular service.
Never fear, you still have options!
I think your best option is to look at implementing a
Pre-shared Key[
^] security. I personally just built a publicly exposed WCF service that implements this. The key is stored on the client (preferably encrypted) and is transmitted to the server. The server then decrypts the key and verified is it is the correct key. I add one layer of additional security. I salt the key that is sent to the WCF service. I know that my key is a fixed length so I append random text to the end of it before encrypting it and sending it to my service. This way, the bytes are always changing each time the key is sent making it harder to deduce the secret key.
This is of course only one option. There are lot of other ways to implement security for public facing services. I would suggest picking up a book on WCF and read over the security chapter. There a lot of out of the box solutions that you might be able to make use of. If you are truly set on using IP address security, take a look at this:
IIS IP Security[
^]