Im building an app which should receive data from my server. The Api should be a
ID: 659898 • Letter: I
Question
Im building an app which should receive data from my server. The Api should be a PHP based script which provides the data as JSON.
However I want to keep the data private and it should only be accessible by the app itself.
How can I prevent others from reengineering my app and find a way to access the API?
I thought about using a API key for the main access and SSL to prevent the data from being read while performing a man in the middle attack, but how can I hide the GET request itself or should I use some kind of PGP and encrypt the data itself?
Explanation / Answer
The first thing you should do is to ensure that all communication between your app and the server uses HTTPS rather than HTTP. This should protect you from casual packet inspection. To make this setup more secure, you may also consider using certificate pinning to prevent any man-in-the middle attacks involving a forged certificate for your site.
If you are using SSL, the contents of the GET request will be encrypted (though the fact that you are making a connection to your server will be evident). Your real problem is that if you distribute the app to the general public, it can be reverse engineered and any API key you use can be extracted. You can obfuscate the binary, but this cannot totally eliminate the possibility of reverse engineering.
Depending on your app, and the nature of your data, you may want to worry more about authenticating the users of your app, rather than the application itself.