The approach looks good, few considerations though:
- the
secretString
can be extracted pretty easiely for the app. The only factor here is the motiviation of the attacker. - consider replacing MD5 with SHA-1. Although there is no fatal vulnerability in MD5, the change is trivial and more secure.
- don't use IP addresses for a "single source" protection. Mobile devices pass through carrier networks and share a relativly small IP block.
- consider adding unique, incrementing number in the request to avoid replay attacks.