I have a conceptual question and wanted to know if anyone would be kind enough to help.
I will use a simple example to explain my point of view.
I have developed a simple RESTFul API with Node.JS + Express + MongoDB as a backend. The API saves hightscores from an Android game app. I use token-based authentication, where the tokens are generated from a secret and a trusted username/password (hardcoded or not).
But I still have a doubt thinking about safety...
Reverse engineering is a piece of cake since any developer can easily find the backend endpoint of the API and use it with his username and password (or the hardcoded one) to obtain the token.
Then the token ca be used for insert fake highscores via the API.
My questions are:
There is no full-proof way to do this. In theory, everything can be debugged - including your verification mechanism (token generation).
Using a web API is a good way to have your mobile app communicate with a backend and works fine in most cases. However, it your case, you basically want to make sure that the API is used only via the Android app you have. This is typically done by encrypting the communication protocol and making it hard for others to debug it. So, your app will encrypt the communication in a way, which is hard to decrypt if you don't know the internals of the app/server. However, this is hard to do from scratch.
If you want a ready-made solution, you could use Google's Play Game Services, for highscores, achievements, etc. That should be secure enough, but I can't say what the implications would be for your current situation.