I have created rest APIs for my Android App. All APIs are protected using OAuth2 (password grant_type).
User provides the username & password and server verifies the credentials and issues access_token and refresh_token which then can be used for calling APIs.
Now the problem here is that APIs are public and open to everyone. How can I verify that only calls generated from My Apps are honored.
Scenario: XYZ is a user of My App and also a very good developer. He was curious enough to figure out how my app and apis are interacting. Now he is also a bit ambitious (i guess) and decides to create his own android app (similar to my app) and uses my rest APIs. How can I secure my APIs against this usage?
I looked over few other posts but I didn't find anything useful to protect my APIs from such usage.