[ju-st]

- encrypt everything using AES and pray that nobody will find the key in the apk - use your own crooked Http implementation that violates the official specs (e.g. missing \r\n's or introducing random whitespace characters...). Simple http parsing tools won't work anymore and the attacker will get grey hairs when he tries to test/use your endpoints

[danielrhodes]

Just a heads up that changing the HTTP protocol can break a load balancer. Experienced this one time while using Amazon's ELB: the response had invalid HTTP and the ELB instances would silently lock up and stop responding, eventually draining the pool. Was not fun to debug.

[sjtgraham]

Don't use a static key. At least use DHE or ECDH to negotiate the key.