Securing web-API access

Question

I have a simple web-API accessible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to

Answer 1

Server & client-side code change is an option!

First, you can't prevent it completely (without legal action :). Use SSL/TLS, that will help with the sniffing posibility.

If the app is downloaded directly from your server (not through an app store/third party) you can secure it a bit more. When a user downloads the application make sure the user is authenticated, generate a key, include it in the application and use it in all further communication with that user. The hacker/thief can mimic that, but they'll need to go through their server to simulate a login and download of your application -- you can find and block that.