Securing android app url's from invalid requests

Question

I am trying to find ways to ensure anyone invoking the app's url's from anywhere else except the app is invalid and I am using okhttp3. In my header request I have a user-agent whose value is the app key-hash generated when needed and never logged using

try {
    PackageInfo info =     getPackageManager().getPackageInfo("MY PACKAGE NAME",     PackageManager.GET_SIGNATURES);
    for (android.content.pm.Signature signature : info.signatures) {
        MessageDigest md = MessageDigest.getInstance("SHA");
        md.update(signature.toByteArray());
        String sign=Base64.encodeToString(md.digest(), Base64.DEFAULT);
        Log.e("MY KEY HASH:", sign);
      //  Toast.makeText(getApplicationContext(),sign,     Toast.LENGTH_LONG).show();
    }
} catch (NameNotFoundException e) {
} catch (NoSuchAlgorithmException e) {
}

This way, for every request sent, I am checking whether the user-agent's value matches the one on my server (generated from keystore+signed apk) before anything else is done. On top of that, the data is all POST and url's are all https.

My main concern is can someone get the extract app key-hash from the apk? Even power users using xposed, memory dumps e.t.c

Is this secure enough?

Answer 1

Nothing you can implement would stop a power user from extracting the necessary values. It is just a matter of how long it takes (minutes, hours or days).

The presented solution is really simple. I assume using Xposed or an Man-in-the-middle proxy braking it is just a matter of minutes.

If you really want security you have to use SSL/TLS certificate pinning and use a good Android harding framework (usually the good cost a bit).