And by secure what do you actually mean? Do you mean, that unauthorized access should be prevented? In that case, you need an authentication system. ASP.NET Web API already has that feature, it is called Identity.
ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management) - Part 1 - Bit of Technology[
^]
ASP.NET has the Identity framework itself, all that you need to do is enable the accounts to also contain the tokens or authentication keys to use with Web API. Since your mobile application, is also powered by the same web application, you can try to register the users using the same application — username/password. Just add a form for the user, to fill in and then authenticate them.
If you want Web API to have a different authentication system, then look into OAuth.
OAuth 2.0 — OAuth[
^].
The working of the Web API and authentication was also a bit explained in one of my previous articles,
Facial biometric authentication on your connected devices[
^], skip to the parts where it mentions authentication system, then read the method there.
For other types of security, such as SQL Injection, XSS attacks etc, please read the complete go through section of
Security on ASP.NET documentation[
^]. They provide even a broader concept and ways to secure your application against most prominent attacks against your website, or data.