Securing Android Application API access

While creating an Android App that uses an API, the most difficult problem to solve is API security.

Creating a token and securing it in KeyStores is one thing. But what about a guest user?

A guest user requires a Token, and acquiring that Token from the API is not secure, as this API should not require any signing credentials. And creating a temporary Token for the guest user in the Application side is not secure as anything on the Application or Device is accessible one way or another.

I have searched about the thing, and these are the solutions I’ve found.

1. Creating a 2-part key : This is not secure, as there is still something on the Application side.
2. Google’s Application authorization : I’ve found that there is a way to use Google’s services to determine whether this client (Application or whoever sent the request) is a valid (legitimate) user, i.e, the request was sent from the Application for which the API was designed for. However, I’ve seen that this method requires waiting, as the validation is not immediate.
3. SSL Pinning : I’m not very familiar with the concept, but from what I understand, it’s basically creating a Certificate that only your app and the server trust. But that seems to also put code (or in this case, a .crt file) in the app package, which can be compromised and used.

I understand that there are tactics such as ProGuard and DexGuard, but these only make it harder for someone to break into your app, and in DexGuard’s case, it’s paid.

I thought about using the API to identify that only the client is the app using the package name, but that’s not possible since the HTTP/S Client requesting the API is not the app, it’s the system’s, or in some cases the library’s, own HTTP/S Client implementation, which does not contain any information about the app, only the system/client.

From my understanding of application security, these are the main security flaws to be noticed :

1. Anything inside the application code, files, or resources can be accessed using the APK or the application’s own folders on the system.
2. Even HTTPS SSL certified requests can be sniffed and the attacker can obtain all information about the API (URL, Parameters, etc).
3. Even if something was protected by the system (such as files), rooted/hacked devices can get access to these resources (there are also legitimate reasons to root your Android device, which means you cannot just block rooted devices).

Searching around in Information Security questions most focus about the Android system’s security, not the security between an App and it’s API. And the few that do, discuss the security from the server’s side, or simply give an example about using a certain technology (Certificate Pinning or Certificate Transparency) in plain code, which is still not secure.

Question :

What are the tactics used to protect an Application from an attacker?

What methods should I be researching to make 95-99% sure my application won’t be attacked (there is no 100%, I know, but that 1-5% are dedicated attackers, which wouldn’t waste time on such applications from a less known provider)

Possible Attack :

The App has a guest user, meaning they need a temporary Token to use the app. This token cannot be generated from the API, as it does not require any authorization. And cannot be generated from the App since breaking the application code is simple and the attacker can discover the method of generating a temporary Token.

This leads the the API and Application being exposed to the attacker, giving them access to the API’s data.