I have Facebook and Google login in my application, I use my backend server to store data about the user, such as name and status.

I am sending the token along side with some info like user points, the server uses the token identifies the user and does his work just fine.

Before publishing the app i want to encrypt everything, I know I can use SSL however my provider charges A LOT of money for SSL support.

My idea was to genarate a RSA Keypair, save the private on a safe place, and have the public in the apk.

I can generate encrypt and decrypt using rsa within my app very easily, but I'm not an expert in php i tried a lot of things to decrypt stuff in server side but i can't figure it out how to do it.

I have one Keypair generated by android, i used,

getPublic().getEncoded()
getPrivate().getEncoded()

How can if use the private key in php to decrypt and encrypt data?

I know that this may not be the best way to do things but i think i won't have a problem, the target audience is really far from hackers.

Because you added the tag PHP, i am assuming that you have some kind of rest api running that you are calling from your android app. Now you don't need encrypt and decrypt in PHP. Those are handled by your web servers. As far as ssl goes have a look at let's encrypt which is opensource. Enforcing ssl alone on web server is pretty good security measure.

I think i achived what i was tring to do, login is 100% handle by facebook and google via https, i only use tokens to identity the user in my server and increment the score

1- Token and score is encrypted and sent to the server
2- Using the private key the server finds the token and i use https to make calls to Facebook or Google to retrieve the user id and increment the score

Note that all data stored in my server is 100% public, i don't store private information about anyone, i just want to protect the token, if someone gets the token and starts to make a lot of calls it may reach the facebook limit of 200 calls/hour per user, making my app inoperable.

I will upgrade to SSL in the future, when i start to earn revenue from the app

Android

String pubKeyPEM = "***";

public void something(){
  String sendToServer = Base64.encodeToString(RSAEncrypt("test"),0);
}

public byte[] RSAEncrypt(final String request) throws Exception {
    PublicKey publicKey = getPublicKey();
    cipher = Cipher.getInstance("RSA/None/PKCS1Padding");
    cipher.init(Cipher.ENCRYPT_MODE, publicKey);
    return cipher.doFinal(plain.getBytes());
}

public PublicKey getPublicKey() throws Exception {
    PublicKey publicKey;

    byte[] decoded = Base64.decode(pubKeyPEM, Base64.DEFAULT);
    KeyFactory kf = KeyFactory.getInstance("RSA");
    publicKey = kf.generatePublic(new X509EncodedKeySpec(decoded));

    return publicKey;
}

PHP

$privkey = '-----BEGIN RSA PRIVATE KEY-----';

function decrypt($data){
 global $privkey;

    if (openssl_private_decrypt(base64_decode($data), $decrypted, $privkey))
        $data = $decrypted;
    else
        $data = '';

    return $data;
}

The private key will be moved to a safer place, but this is working just as i wanted

my server is also checking if the token was generated by my app id, so if someone tries to use a diferent token, it will show a diferent app id.