Short answer is, you can't, at least not completely securely.

https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data

Long answer is, you can make it difficult for hackers. Usually this works by embedding a key in the application, obfuscating it, and obfuscating the code for getting the key. This doesn't make it impossible for someone to find the key, just harder.

One of the stronger consumer systems out there is Microsoft's Silverlight DRM, you might want to investigate how that works: http://www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight

You could make all your REST services require an Access Key & Secret when accessed. The App could then store these under the configuration settings and are left blank when shipped to the App store.

Then when you download the application you can go into the configuration settings and insert the Key & Secret that you've setup for your REST Service. (This way it prevents anyone from accessing services, since you manually add the Key + Secret that are used)

I would recommend setting up an IP Log of all unauthorized access attempts on the server so you could create a blacklist if someone is spamming your web service with invalid access attempts.

And then to top it all off you could do this all over HTTPS.

There are few options:

• Firstly you could limit by IP. This is not a good way if your android app gets dynamic IP every time.
• Secondly you can use some algorigthm on both server and client which only you known. Server could send the data to client, client runs that algorithm and modify the data. Then sends back to server. Server also runs that algorithm and checks the response. If the response is equal to what server has calculated, then server knows that client is authorized. In that case intial data which sends from server should be different everytime.
• Thirdly you can use some publicly available hashing functions instead of your own algorithm. The idea is the same. Server use same hashing function and checks if response from client is identical to its calculation.

(Three answers already, and all with different ideas then my own on this matter - so a good question I think.)

It was my understanding that the recommended/canonical way of doing this (for google) is OATH2. Google has recognized that OATH2 is tricky, and one of their attempts to simply it is cloud endpoints, along with Google Play Services for Android clients. The instructions for this are here:

https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls

Note that while the docs emphasize User authentication, it also supports app authentication.

What I don't know (but would like to) is how to the same thing for a non-endpoints app, so I guess this is just a partial answer.

Generate privatekey/publickey pair in openssl. In app distribution distribute public key. Have a custom http header called appName and encrypt the appname (a unique constant unpredicatable bit large number) and send it. Ensure your code is obfuscated so that no one is able to view the appname. Then since you are encrypting even if someone traces the http calls, the appname will be visible as encrypted value. At your server end decrypt the appname using private key. Hope this helps.

The canonical way to do this is using SSL and client certificates. I'm not sure whether App Engine supports this.

Do be aware, however, that if you're distributing your APK then you can't rely solely on anything distributed with the APK -- it would be possible (if rather unlikely, depending on how high-profile you are as a target) to extract whatever information is required to spoof the application.