Securing the connection between android and php

Question

I am developing an android app where the user can signup using the android Facebook SDK. I am using Google Volley library to make http requests to my PHP page to receive JSON data from MySql database. I want to store personal information about the user and retrieve them later from the database. I spent the entire day looking on Google ways on how to secure android-php connection. One of the most popular solution I came across is send a hash key with the post request and verify that hash key via PHP. Like so:

if($_POST['secret'] != '3CH6knCsYmvA2fdghfdfgmf3JqmUctCM') {
    header('HTTP/1.1 403 Forbidden');
    error_log("ERROR: wrong secret: " . $_POST['secret']);
    exit("Access denied");
}

The problem with the code above is that some hackers can de-compile any apk file and look at the code and easily figure out what they key hash is. Since I don't have an custom login system with username and password to authenticate the user, what can I use to secure the connection between android and php? I need an example or a link to a tutorial or any suggestion about established solutions to such problem.

This question isn't new on Stack Overflow, but other similar questions are 2 or 3 years old which is considered historic in the rapid development world of Android.

Answer 1

Securing the connection between the server and the app? Just use Https. Now if you want to make it so only your app can access that web service- there needs to be some kind of secret shared between them to check. Normally this is a password, entered by the user. The fact the user enters it secures your app from hacking, as the info isn't in the app. If you aren't going to have the user enter it, then it needs to be in your app. Which means any hacker who really wants it will get it. You can obscure it a little bit, but they will find it eventually.

Basically, to ensure that it can't be reverse engineered you need the user and a full login system.