I am developing a web application with a php backend, but there are plans to make an android app for mobile users. After doing a bit of research I found out that i need to write the php backend as a RESTFUL api webservice to support both the users using the website on their desktop browsers and the android app users.
Do i need to write something like this imgur api for my loosely classified "social networking" app? The reason i am asking this is because i am confused as to why I have to write an api to access my own users data. I was under the impression that such apis are written to allow a third party to have access to your users information for instance when you use facebook userid/password to log into stackoverflow.
Security is a major concern here. The applications, specifically the android app, would work by communicating with the api that I'll write, so do I need to use OAuth2 to authenticate the android app users and give them tokens for accessing their data? Again I thought OAuth2 was used when you wanted to give third party applications access to some of your users data. Why is this better than just authenticating them using their emailid and password like you would when on your desktop browser? Or should you user OAuth2 for both?
Lastely continuing the above example of imgur, consider this url used for geting and image -https://api.imgur.com/3/image/{{imageHash}} If i write something similar to say - get users information after authentication e.g. https://api.mysite.com/users/get/{{user_id}} how do I prevent the world from knowing this considering imgur wrote their api for the world to have access to their stuff but I am writing it just for my android application.
Will I be writing the url in my code? maybe something like - usersJsonArray = new JSONObject("https://api.mysite.com/users/get/{{user_id}}").getJSONArray("user");
Also, the https server will return a json with the users details to the android mobile. How secure is that? I mean, the server uses https so that means no one can see the json response from the server right?
Ok so this - http://acaasia.blogspot.com/2013/04/designing-secure-rest-web-api-without.html says you could achieve good security by following amazons design. But I have trouble understanding the explanation fully. Anyone here willing to lend some help understanding it?
This keeps getting interesting, now we need to consider HMAC vs OAuth2. Sad thing is these are just abstract guidelines with no code to refer.