I'm a web developer who is moving into creating mobile (iOS/Android) applications.

As such, what I'm trying to understand is how should I architect the mobile application to access (post/update/delete) data stored on a central server.

For illustration purposes, let's say I am creating a mobile Recipe application (named "MyRecipeApp"). Some recipes I want to share with other recipe users of MyRecipeApp, and some recipes I want to keep private to myself.

In order to share recipes, all recipes (both private and sharable) are stored on a centralized (server) database and the MyRecipeApp accesses that database to fetch that information.

As such, I have a few questions:

1. With MyRecipeApp, how do I access the database? Do I make my database publicly accessible to that MyRecipeApp can talk to the database? If so, that seems insecure.

2. Do I hard-code SQL into MyRecipeApp (e.g. SELECT * FROM RECIPES WHERE USER = "John Smith") to access the database to fetch recipes? If so, that seems insecure in the sense that someone could just hack my mobile app and change the SQL to fetch any information.

3. Do you send the users username/password with each fetch to the database? If so, how are you encrypting the traffic between the database and MyRecipeApp.

4. What else am I not thinking about in how I should be architecting a mobile application?

1. Connect through an API (perhaps restful HTTP API).
2. Don't hard code SQL. Instead, make API calls, passing parameters.
3. Yes, send authentication information with every request and use HTTPS, or send username and password on first request only and get a session token and use that on subsequent requests, but still use HTTPS.
4. Consider sending and receiving data in JSON format.