I am beginning to develop apps for Android and iOS that make API calls to a PHP web application that I will be developing. Users will be required to sign up with a username, password, and (optional) phone number and email, and I plan to keep this data in an SQL database. Users will be able to sign up from the phone apps as well as on the website where the PHP-based API is hosted. I know that all too often application developers do not prioritize security and I would like to make sure that I do.
In terms of web-server security what can I do to make sure that my users' data stays secure? When developing, what types of security practices should I put in place to keep my application as secure as possible? (e.g. sanitizing username/password input to prevent SQL injection, SSL for API calls from apps to the web server, not making API calls with plaintext passwords, etc.)
I know the question is broad but I think any answer represents the possibility of increased protection that I have not thought of.