I'm aware multiple questions have been asked on the topic but none have really answered my specific question.
My app
I have a PHP-based API that retrieves AND posts information from my MySQL database. I use it to check for login, to create new accounts, but also to retrieve simple data from the database. My app isn't on the AppStore yet, and right now, my API has no security whatsoever: it's the first API I've ever made, and I was just focusing on the basics. Now it's over, I want to add some security. I've done lots of research and oAuth seems over the top and way too difficult for what I'm trying to do here. I'm confused on the oAuth topic, about 2-legged or 3-legged oAuth.
Let's say I want this simple scheme to be secured: 1) users enters login information 2) iOS app sends credentials to PHP-based API server 3) API checks in database if login credentials are correct 4) API returns (in jSON) the result of the request 5) App process the jSON
This is the current flow. What is the most simple way to secure this? Is oAuth worth it or can I make a simpler, hand-made encryption system with a private key only my app and my API would know and that I would simply add in the POST?
General rule of thumb for security is to go with a tried and tested solution. As such oAuth with some external sign-in method (Like Facebook, Google, Twitter etc) is a good way to go. I think you'll find that it's a lot less work actually than rolling your own user data base, password handling, authentication and so on.
However if you're not keen on doing this, there are most likely complete PHP frameworks for adding security, for example PHP-LOGIN. If you insist on doing it yourself, the answers here might provide some detail: Developing a secure PHP login and authentication strategy although I strongly advise against implementing your own security solution unless you're an expert in the area.