This question already has an answer here:
I have a PHP file that queries my database and then returns information in XML format back to my application. Right now, if I just go to the URL in the browser and put in the proper parameters in the URL, the information is shown right to me. Is there a way that I can make the PHP page ONLY accessible through the application(iOS and Android)? I have searched, and the only thing that I can find is making the page only accessible through includes, but I don't see how this would restrict the access if the person figured out the php page that included the file. Any suggestions are appreciated!
Thanks
</div>
Almost any restriction you put on it will essentially come down to "Put something in the request that only the application will send".
The basic approach would be "Keep the URL secret". If only the application knows about it, then only the application can make a request to it. Anything else (passwords, API keys, custom HTTP headers, user-agent sniffing, etc) is just complexity around the same concept.
Making the request over HTTPS instead of HTTP will protect the secret from exposure to sniffing.
Nothing can save you from decompilation though.
You could add a custom http header in your client request inside your app with a challenge code. Your script detects the header and verifies the challenge. If the verification is passed, you execute the script, otherwise you return a 403 Forbidden.
Rather not. In fact everyone can insert false data in his browser information and you wouldn't find out if this is Microsoft Internet Explorer on Windows 95 or Chrome on Android phone.
You may try to block by IP number, but this is not blocking application, but the user.
The only idea I have is to use some user/password login things, which only your application would know, but it has its own security holes (like man-in-the-middle).