Best practices for web server security

Hey all...I'm working on a turn-based asynchronous game in which players post commands to a web server and the action plays out in the game.

I want to be mindful of both the security requirements to protect user accounts as well as the best ways to thwart cheaters from posting counterfeit requests.

My initial plan was to encrypt all the form post data that the game posts to the web server and decrypt it on the server side (using a private key) and do some message digest checks to ensure that the post data hasn't been tampered with. But it seems this might create a problem for release on the iOS App Store. While registering the game with iTunes Connect (so I could test in-app purchases), the form asks specifically if the game will make use of encryption. I suspect that if I answer "Yes" to that question, I'll be opening myself up to a lengthy review process and tons of scrutiny that might delay my release or even get the app rejected all together.

Can anyone provide some guidance on the best way of guaranteeing the authenticity of a form post? I mean beyond the username/password authentication (which is already in place). I want to ensure that the posts are coming from an unmodified version of my application.

In my day job, I'm a web developer, and there's no shortage of tricks that can be used to fake a form post. When I have something that is particularly sensitive, I normally will use a "full payload encryption" mechanic...but I just think that's going to be asking for trouble with the iOS store.

Thanks, community!
--RB