Any business relying on the Internet of Things (IoT) for their operations requires that solutions are reliable and trustworthy. Security is a prerequisite and protection of online industrial or enterprise assets cannot be overstated. This paper focuses on the need to secure application data end-to-end between IoT device and enterprise application or IoT service provider. Securing application data applies to messages exchanged between applications of two endpoints, specifically sender authentication, receiver authentication, message integrity and message confidentiality. In IoT, an endpoint itself isn’t always reachable except through a gateway, which serves as a proxy to the endpoint device. A gateway may translate addresses, protocols, or commands along the IoT service path. As various types of gateways proliferate in IoT services, the communication security between sender and receiver depends on the security of each hop combined with business agreements and trust relations between the involved parties. Hop-by-hop security offers more points of attack and is a greater risk to the IoT service as IoT proxies such as application-layer gateways and middleboxes may alter the messages they forward at various protocol layers in the stack. The theme of this paper is that IoT data must be secure in transit and securing data at the transport layer alone is not always sufficient for preserving integrity and confidentiality through proxies, gateways or other middleboxes. Application-layer security is needed for many IoT service topologies to prevent critical data from becoming unprotected in middleboxes. The paper gives real-world use cases for application-layer end-to-end IoT security and describes the Open Mobile Alliance solution to these types of use cases.