I am working on a mobile app using Corona SDK. One of its core functionalities requires sending data between the app and my server. My question is, at what point do my attempts at making the data transfer secure become redundant?
The server side consists of a few PHP files and a single MySQL database. I have an SSL certificate and I validate the data at both ends. The app itself only makes network requests via HTTPS/SSL using HTTP POST and the data being transferred is a JSON string.
To this point, I believe that I have done everything as they should be done. However, as an extra precaution, I also encrypt and decrypt the JSON string at both ends using AES256-CBC.
Is this extra encryption at all necessary or is it redundant?
HTTPS protects the transport between the client (browser) and the server. It specifically does not protect data at rest at the server side (i.e. inside the database) not does it protect the transfer of the data between the PHP application to the database.
It is unclear if any protection outside the transport between client and server is needed. But it seems that your AES encryption will only protect the same path as HTTPS already does. In this case it will likely not add any protection. It might maybe add protection against legal (or malicious) SSL interception but if the encryption key is send over the same communication channel as the encrypted data then it will not actually add protection.