I currently have latest jbackend on my joomla 3.3 website and using it for developing android application which will require to check the login details through json response. I'm looking into security concerns as the application will be easily downloaded by everyone and they can simply extract the code using some tools. Therefore the url used by jbackend rest api will be at there hands with the api key that i set through jbackend but still they need to guess the login unless they're doing MITM but still the passwords are hashed.

So my questions:
1) how do I disable all get request for login ONLY and just leave the post request functional
2) how can I block like a bruetforce attack as for example after 5 wrong tries of sending a login request through the rest url the ip will be blocked.
3) any other ideas that can make this more secure is welcome

thanks for the quick reply... ill give that user option a try and read more about it.