We have an Android App written in Java that performs HTTPS calls to our mobile API server running ASP.NET Web API 2 (C#). Some API methods require authentication, and some methods are "open". Protecting "open" methods is not required, but we still want to protect those "open" calls with digital signatures.
So Android app will have a Private Key to sign the "open" API calls with. The strategy of delivering that private key into the app is irrelevant for this question, but it could be either one of a) one key for all users, embedded (hardcoded) in the APK file, or b) different key for each user, delivered to the phone from server as part of users "email verification" process.
Let's just assume that "somehow" app has that Private Key, and the API server has the corresponding Public Key. So what would be the recommended crystallographic schema to sign the API call to server?
Please advice! Thank You!