I am building a mobile app that needs server side processing. I have created the server side using LAMP and the app just calls the respective php pages using an URL to request data. For example for signup I have created signup.php and app calls signup.php to verify login credentials of the app. I also have php scripts to say pull product information for the product the user is requesting. At this time these PHP pages are publicly accessible even though they would return a blank page. However how do I ensure these PHP pages are only accessible to my mobile application? How do I make it more secure?
Additionally the user on the mobile only needs to sign up once. Once signed up he stays logged in perennially until he uninstalls the app.
What you could do, is to have per device authentication. When your user goes to sign up in the app, app sends request to the server with credentials. If the credentials are OK you generate a unique hash. You store this hash close to the user - either directly to users table, or to a table that is in relation (depends if you allow multiple devices signed to one user). This hash will be send with every request to the server. Based on the hash you look-up the user and you know who you're dealing with.
This hash can be, once in a while, regenerated (you send new hash to the device and that stores it again).
Also, you can use some secrete key to create a checksum for every request. Than you create checksum on server as well and compare. Be aware though that, if the key is stored in the code, anyone can get it. This key can be sent from the server as well.
It's probably obvious that the server should be on HTTPS.