Protect API URL access via hash in Android app

Question

In my Android application, the user can submit content to the database which can then be seen by all the other users as well.

This new content is sent to the server

Answer 1

Don't trust the client for validation. This is true if its javascript in a web-browser or even some locked down platform like the Iphone.

If the app can make the API calls, then clearly everything needed to make those calls is on the phone ( secret, hash function, API key, whatever), then someone can always dump the phones storage and get all that data. They can then make whatever request they want.

What you want to do is authenticate the user and then validate the input on the server side.