Securing web-API access

Question

I have a simple web-API accessible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to

Answer 1

Use TLS (successor of SSL).

In short, nobody will be able to sniff the traffic, because it will be encrypted. The basic version includes only a server certificate - create a certificate (self-signed for a start) and let the server use. What happens (I won't go into the handshake specifics):

• the client sends a request
• the server responds with its public key
• the client generates a symmetric secret key (using AES or 3DES), encrypts it with the server's public key (RSA), and sends it to the server
• the server decrypts the symmetric secret key (only the server, owning the private key, can decrypt it)
• the communication continues with every message (request/response) being encrypted with the secret key that was securely transferred

Most of this is handled by the APIs you'll be using, but it's good to know how things happen.