What is the best way to create a mobile application that communicates with a Webserver?
I am developing an application mobile that should contain the same content of the site, and it is necessary that the same database (MySQL) used by the site is also used by the mobile application.
I believe to create a direct connection from the mobile app (Android ) for the remote database would be a security flaw, as anyone could open the apk and discover the connection data, so it would be necessary to create a Webservice exclusively for this data transfer, but also in my concept would have the same flaw: security, because anyone could access it and send or receive information.
What is the best technique to transfer data between a Webservice and an application mobile and this webservice needs to be "closed" to external and unauthenticated access.
2 answers
From the moment you need to create a webservice/API for mobile client access, your webservice becomes public. And public webservices will always be subject to unauthorized access since for that your application must necessarily contain the information to be able to access it.
However, there are techniques to make your access data less vulnerable. The most common is the use of Proguard to search your code in case of engineering reverse. SSL to avoid mitm and sniffers and more advanced encryptions such as HMAC authentication.
But none of it is 100% hacker proof.
HTTPS (Hyper Text Transfer Protocol Secure) is an implementation of the HTTP protocol over an additional layer of security that uses the SSL/TLS protocol. This additional layer allows data to be transmitted over an encrypted connection and to verify the authenticity of the server and client through digital certificates.
Source: wikipedia