how mobile (android) apps communicates securely to backend servers?

I had developed an android app, and my backend server 开发者_高级运维as well.

The server is providing REST-ful services for the app to call. Some questions..

1) is this the correct way of doing things? say.. user login, get his inbox messages, etc, via REST?

2) how to communicate securely? so that if anyone who knows the URLs, they can attack the services.

Thanks!

1) is this the correct way of doing things? say.. user login, get his inbox messages, etc, via REST?

I wouldn't say that there's a "correct" way, but multiple ways, each with their pros and cons. Without additional detail, it sounds as if you're on the right track.

2) how to communicate securely? so that if anyone who knows the URLs, they can attack the services.

Really the only way is to use HTTPS. URLs are publicly accessible via the web, enabling folks to attack them. This is not much different than any other site/service, REST or SOAP. I don't know if there's a way to really lock down the traffic to only the devices, maybe registering a device id and requiring it on every request? That still doesn't stop an attack, but may be a simple way to reduce some of the noise.