I started development of iOS applications using HTML5 and PhoneGap.
I have a question about security here. Since iOS applications can not run PHP code, people use REST APIs to communicate with the server in order to get data from a database and such. Or am I wrong?
Anyways, how can this be secure? For example, someone can just extract the code from the app and will have access to the API calls. How can this be secure? I am not looking for snippets of code, I am wondering what method is used to secure this? As of now, all I have on my head are tokens like the ones used to prevent CSRF attacks and such.
you can use rest services but it doesnt mean you are giving the access to the service. You have to deal with the sessions but do not include clear passwords, etc., unless you connect to the backend by prompting the user, using Oath to authenticate the session and store it in the keychain. You can force the user to re insert the information when the session expires and you can check that everytime the user accesses the application. If you decompile the app or just unzip the app, the html code can be accessed but the difference is "how you manage the connection". Obviously, as Ive told you, if you use static information (using a .plist file or whatever) your applications will be strongly inefficient and easily to break. My recommendation would be to learn how to work with keychain, NSURLCredential, OAuth and cookies management in iOS.