I'm building an iPhone app that needs to communicate with a PHP api. It will send its data via POST. Not that I have any sensitive data concerns, but I am curious as to how I can ensure that the POST is coming from: the app; or the device; or at least an iPhone.
Jake Wharton's answer on this answer talks about a "known call and response pattern" and I will use that method if there is know other way: How to ensure/determine that a post is coming from an specific application running on an iPhone/iTouch?
I'm not needing SSL or anything, but I will implement low-tech protective measures where possible.
You could use a token string that you send with each request that only your app would know and verify it on the server, but you should probably use SSH so no one can sniff your token.
edit:
So my first answer was a little flawed. Another thing you could try is creating a signature by encoding the data you are about to send with some secret key using HMAC and send the signature in the header with your request. Then on the server sign the data again using your secret key and make sure they match. I think this should still be combined with SSL, but I think it can give you a reasonable assurance that the data is coming from your app. Without SSL it would be possible for someone to do replay attacks.