There’s not really an easy way to do this. There are several things you can do like password protecting your directory (but then the password must be stored in the apk) or using an API key (but again, you need to store that in the apk).

One option would be to dynamically build the string paths through some sort of complicated algorithm, thus making proguard obfuscation helpful. However, at the end of the day, you would still be vulnerable to packet inspection (assuming you’re not using HTTPS). You also could build in a shared secret generator (basically an algorithm that generates a seemingly random key based on time) that runs on the app and runs on the server. The values would then be compared at runtime and if they match, the file would be served. Again, proguard obfuscation would help make it difficult to figure out how the algorithm works.

Another option would be to make use of Android’s private space. You’re hosed if the phone gets rooted, but it would help. Basically following this algorithm:

1. Upon installation have the app generate a unique id
2. Send the unique ID to the server which records it and generates a symmetric key
3. Store the symmetric key in app-private storage space
4. Each time a request is made the unique id is sent along with the request
5. The server retrieves the previously generated key from a database and uses it to encrypt the file being served
6. The app then loads the key out of app-private storage space and decrypts the file