In our app, we are communication with the back-end over the HTTPS network. My confusion is, is there any benefit of using encryption over that.
EDIT: By using encryption, I want to use AES encryption to send request over the network that is already secure. So I was confused if it is extravagant to use AES encryption over already secure connection.
It's overkill. An SSL connection is all you need if you properly configure your server and know how to manage certificates. Adding another layer of encryption (you didn't describe it, so I assume it's another SSL clone) certainly can't harm, but you have to carefully design and implement it.
The reason why it's not common is because you need to implement your protocol both on the client and on the server, which is not a little effort. And supposedly if you can't keep SSL secure, you shouldn't implement a proprietary protocol altogether.
Also, note that the custom protocol only makes sense if you deploy your native client (you tagged "iOS", so I mean a native C/Objective-C implementation) before the connection: it's useless to have a Javascript client (you also mentioned HTTP so I guess it's a standard www application) transmitted, because if the attacker can break SSL, it can certainly manipulate the Javascript and at this point your protocol is no secure anymore.
它看起来有点过分,但我不会完全拒绝。
根据您的应用程序、您的安全问题和您工作的环境,这个额外的“安全层”可以在传输之前对您的数据进行加密,这可能会带来回报。也许接收端不应该能够看到数据并将它们重新路由到其他地方,也许是因为它的不可信(第三方应用程序),也许是简单的数据隐私原因(法律)。
我不知道 AES 是否是一个好的解决方案,我会选择 RSA .. 但那是另一个故事。