Hello,
We currently have a titanium app running on iOS & android in beta phase for 100 users.
Until now, we have focused in customers needs and UI issues. But before launching production version, we want to improve the security.
The app makes some operations in the user device (iOS & android), and occasionally (between 100 and 200 times per day) consumes "web services" that we have developed with php and hosted in our web server.
The users can download the app for free, register in the web server, and then use free and paid services.
The web services are things like:
- sign up user (free)
- make notes (free)
- view reports1 (free)
- view reports2 (paid)
- and so on...
All web services run on php, make some operations or calcs, and return info in json format to titanium app.
All the services we offer (free and pay ) cost money for us. Because all of then uses cloud services we should paid.
We are wondering how we should secure the service layer, but we have no idea. We have looked for information or best practices, but we haven't found (or understand) what patterns we should follow.
We think that maybe a possible way could be to implement oauht2 and restful API, but all examples we have see, use the same secret API key in every user app (no matter what user is logged-in in the server )
Any case, supposing we generate a different secret key for every user and store in the user app, the "sign up" web service couldn't be protected, or only can be protected by a generic secret API key shared by all users. Then, a malicious attacker could generate tons of free users that, at last, cost money for us.
Is this correct?
Are there other ways / patterns that could secure our app?
We have no plan to have desktop or web clients in the future. We think our app only will be consumed by mobile apps.
Note that until now we have used php in server layer, but we can port to python, node.js, etc. if it fits better in cloud hosting a like google app engine or amazon ws.
The reason to use php was to communicate with our Wordpress server in a natural way.
Any help would be appreciated.
Best regards.