Should we encrypt all REST API calls from a mobile device?

Considering that TLS is in place with a solid configuration (i.e. certificate pinning), which I find no reason not to, you'd need to work out the business risk you're trying to mitigate by encrypting this information.

Ask yourself, what would you gain by doing this? What type of attack vectors are you mitigating?

How are you going to generate, distribute and manage keys, where is the code and keys that encrypt/decrypts the data? What happens when (not if) the keys are extracted [i.e. will you be using the same key for everything?]?


One of the points of TLS is to solve this problem - a secure way to transport data across untrusted networks, preferably using ephemeral keys for the actual encryption portion. Doing this yourself is possible but is coming dangerously close to "rolling your own" as you will have to solve problems like key storage, etc.

Depending on how your backend network is setup, you may want to look at whether you are enforcing fully end to end encryption or is your TLS terminating at a load balancer or router. That is a separate topic however.