I dug into the CSRF a bit and found that all routes in Sails are csrf protected and authorized unless it’s excluded by a policy. The signup route is probably safe to just set the csrf to false but if you want to keep it on you can request a token from the server by setting up a route to get the token and then sending that token in with the requests. Here is how I got it working with csrf.
Create a route to get a token in routes.js
'GET /csrfToken': { action: 'security/grant-csrf-token' },
Then in policies.js add the following to allow unauthenticated requests to the /csrfToken route.
'security/grant-csrf-token': true,
Then in iOS fetch the token and parse it into a string and include with the of your other params (or set the header X-CSRF-Token),
let params = ["fullName": fullName, "emailAddress": email, "password": password, "_csrf": <token_here>]