[isuckatcoding]

What are some other ways to prevent people from discovering your API endpoints?

One terrible idea I just had was creating only one publicly accessible API and then encrypting the actual endpoint in the payload which the server would decrypt and then redirect.

[K0nserv]

Don't rely on obscurity and obfuscation. Instead build your API in such a way that handing someone the complete documentation would have no negative impact. Assume the client is always compromised. My $0.02

[userbinator]

One terrible idea I just had was creating only one publicly accessible API and then encrypting the actual endpoint in the payload which the server would decrypt and then redirect.

You just reinvented the TLS socket connection.

[ju-st]

- encrypt everything using AES and pray that nobody will find the key in the apk - use your own crooked Http implementation that violates the official specs (e.g. missing \r\n's or introducing random whitespace characters...). Simple http parsing tools won't work anymore and the attacker will get grey hairs when he tries to test/use your endpoints

[danielrhodes]

Just a heads up that changing the HTTP protocol can break a load balancer. Experienced this one time while using Amazon's ELB: the response had invalid HTTP and the ELB instances would silently lock up and stop responding, eventually draining the pool. Was not fun to debug.

[sjtgraham]

Don't use a static key. At least use DHE or ECDH to negotiate the key.