securing a REST API accessible from Android

Question

We\'re building a game for Android, which needs access to web services - so we wrote a RESTful API in PHP that runs on our own server. What the API offers is: creating u

Answer 1

If you really want to secure the connection then you'll have to use public key cryptography, e.g. RSA. The device will encrypt the log in information using the public key and in the server end you will have to decrypt using the private key. After login the server will send a token/encryption key (the response will be an encrypted JSON or something) and the device will store that. From then as long as the session is not expired the device will send all the information encrypted using that token. For this requests you should not use RSA cause that will take more time. You can use AES256 (which is a popular private key encryption) with that encryption key received from server to encrypt your requests.

For sake of simplicity you can drop RSA altogether (If you are not sending payment information) and do everything using AES256 with a private key. The steps should be -

• Encrypt every outgoing request with a private key.
• Convert the encrypted string to a base 64 string.
• URL encode the base 64 encoded string.
• Send it over.

On the server end

• Do base 64 decode
• Decrypt using the private key.

Your request should carry a signature (e.g. the encryption key appended as a salt) so that it becomes possible to identify it after decrypting. If the signature is not present simply discard the request.

For sending responses do the same.

Android SDK should have methods for Encrypting with AES256 and Base 64 encoding.