requests by API key not by admin UN and PW
Usually every POST request requires the username and the password of the admin.
I think in security point of view, if the company has an android app that requires an API POST or GET requests, it should send the API key instead of the admin UN and PW.
The reason is, why could "a user" submits the admin's information?if the user succeed getting his phone communication data through wifi, he could get the admin's information.
So, I think the solution is to make the requests require API key instead of the admin info to increase the API security level.