I am developing an android app where the user can signup using the android Facebook SDK. I am using Google Volley library to make http requests to my PHP page to receive JSON data from MySql database. I want to store personal information about the user and retrieve them later from the database. I spent the entire day looking on Google ways on how to secure android-php connection. One of the most popular solution I came across is send a hash key with the post request and verify that hash key via PHP. Like so:
if($_POST['secret'] != '3CH6knCsYmvA2fdghfdfgmf3JqmUctCM') {
header('HTTP/1.1 403 Forbidden');
error_log("ERROR: wrong secret: " . $_POST['secret']);
exit("Access denied");
}
The problem with the code above is that some hackers can de-compile any apk file and look at the code and easily figure out what they key hash is. Since I don't have an custom login system with username and password to authenticate the user, what can I use to secure the connection between android and php? I need an example or a link to a tutorial or any suggestion about established solutions to such problem.
This question isn't new on Stack Overflow, but other similar questions are 2 or 3 years old which is considered historic in the rapid development world of Android.