android how to hide or protect from url link in source code

Question

I used url link in my app to send and receive data from server. If some body decompile my apk file and get source can use url and send spam or do some buy without pay!

now how can I protect url links?

This is a sample of request to server that I used. (still I use local server until finish application)

public class GetProduct {

    ArrayList<Product> arrayList;
    ProgressDialog progressDialog;
    String url = "http://192.168.43.46/fasabazar/android/getProductsFullInfo";
    OnProductRecieved onProductRecieved = null;

    public GetProduct(final OnProductRecieved onProductRecieved, final Context context) {
        arrayList = new ArrayList<>();
        progressDialog = new ProgressDialog(context);
        this.onProductRecieved = onProductRecieved;
        JsonArrayRequest request = new JsonArrayRequest(Request.Method.GET, url, null, new Response.Listener<JSONArray>() {
            @Override
            public void onResponse(JSONArray response) {

                JSONArray jsonArray = (JSONArray) response;
                progressDialog.dismiss();
                onProductRecieved.OnRecieved(response);
                // Toast.makeText(context, jsonArray.toString(), Toast.LENGTH_SHORT).show();

            }
        }, new Response.ErrorListener() {
            @Override
            public void onErrorResponse(VolleyError error) {

            }
        });

        progressDialog.show();
        request.setRetryPolicy(new DefaultRetryPolicy(7000, DefaultRetryPolicy.DEFAULT_MAX_RETRIES, DefaultRetryPolicy.DEFAULT_BACKOFF_MULT));
        RequestQueue requestQueue = Volley.newRequestQueue(context);
        requestQueue.add(request);
    }

    public interface OnProductRecieved {
        void OnRecieved(JSONArray response);
    }
}

Answer 1

You can't reliably protect those URL links. You may obfuscate your code, but there are tools to reverse obfuscation.

If someone wants to de-compile your code and de-obfuscate it, it's because they think you must have something valuable there to go after. In which case, your security approach is all wrong; It's your server or web service that is vulnerable, not just your App.

1. Your code does not use HTTPS, so simply "sniffing" the network traffic will reveal the URL. A "sniffer" can also see the response data.
2. You should use HTTPS which means modifying your server configuration and obtaining a site certificate. But that won't solve the fact that your code cab be easily examined for the URLs. And HTTPS will only encrypt the data being exchanged, not the URL use to establish the connection, so once the URLs are known, they can be used on an HTTPS web site, and the user can still get the data without your app.
3. Most web sites where you have to PAY for something use some sort of secure payment package (e-commerce) or a user login (subscription service). You should search online for a payment package and redesign for a more secure web service.

Sorry if this is not what you wanted to here.