I'm trying to lock down my Cloud Endpoints API so that only my Android app can use it, however, I do not want to use Oauth2+Google Accounts to do that. The reason is that I do not want to require my users to have a google account to login to the app. For example, Snapchat uses Google App Engine, but does not require you to have a Google email to use their app - you just create your own user name and password.
I have read several posts offering suggestions:
How do I restrict Google App Engine Endpoints API access to only my Android applications?
Authenticate my "app" to Google Cloud Endpoints not a "user"
How do I protect my API that was built using Google Cloud Endpoints?
But wasn't able to find a satisfactory answer. From everything I read, I was considering having a "token" parameter for all my Cloud Endpoints API method that is just my own 64 character long random string. Server-side, I would compare the passed in token string to what is stored on the server in server code. If they match, bingo! you have access to run that method. If they don't, you get an error.
A potential problem with the above approach is that someone could try to decompile my APK, get that token stored in pain text inside my android code, and then make calls to my API.
I was reading that parse.com also potentially has that problem, where their special token can be decompiled in the APK. They solve that problem by offering ACL's (access control lists).
But I really want to use Google Cloud Endpoints and not Parse. Right now, this limitation of having to have a Google Account is really annoying... Is there any way around this that people have found?
