I'm building a mobile app that will use API created by me on my server. These API will be publicy exposed, but not publicy documented. I want to let the user to use the app without authentication for a faster user experience. Lets assume the purpose of the app is "polls", so the user will create and vote for different polls. I want to be sure that an hacker user will not be able (for example) to vote multiple time for the same poll (or do anything else bad).
I know that's very simple to trace HTTPS traffic and perform similar API call and do bad things on the DB. In order to avoid that, I was thinking about generating client side a string that is the timestamp encrypted with AES and a fixed password (same for every client and carved in the source code) known only by the server, the server will then decrypt the string and check the timestamp. [Doing this I'm supposing none can decompile and find the PWD inside the source code]
Do you know any better approaches? I don't want to reinvent the wheel, but I guess OAuth will not solve my problems here.
Examples for better understanding:
API1: retrieve available polls --> I don't want that an attaker will call multiple time this API in order to avoid to read the DB on malicoius calls
API2: submit the poll valutation --> I don't want that an attaker will call multiple time this API in order to falsificate the results
Thanks very much for your help
