This is the first time I face a mobile app deployment at big scale. This app needs to connect to a remote server where to store and retrieve data.
I discarded connecting directly to the MySQL database as it would be a very bad idea, so I put some PHP scripts in the server side that receives data from mobile devices as HTTP POST queries and produces a valid response depending on the query.
Now I'm starting being concerned about security using this approach. Anyone may connect to their home WiFi and set as the gateway some local machine and start sniffing traffic, this way it would be very easy to know which queries are being sent and how to tamper some queries to get/send unathorized data.
To prevent it, I have considered the following approaches:
SSL: Seems obvious, but as far as I know, SSL will encrypt data in the wire transaction but still is able to be sniffed in a local machine.
Encryption algorithm: Encrypt both on the client and server side messages with some secure encryption. This would face some other issues, though, as hardcoding some keys in the app, which seems not a big deal.
I'd like to avoid using third-party add-ons and use my own code to do all the stuff, but at this point I'm stucked on how to procceed.
Any ideas? Thanks!