Once again VPN and SSH tunnels will only solve a certain class of problems. End-to-end encryption is a good start. Restricting the session token to only one/few IP addresses could help solve a small subset of issues. Server authentication is a good thing to have as well. What am I missing?