It is probably necessary to protect the publicly available undocumented API, so that access to it can only be accessed by one application, which means that you want to prevent users from using your API, which are defined using your API.
The value of people who will try to use every opportunity to use your API.
If this is not the case, adding an Auth token will not be trivial, but at least a big step for people who stumble upon your API. And not a bad idea to implement this.
Since this authentication is not based on the user, but on the application level, and you do not want the authentication to depend on user input. The application must be executed exclusively by the application.
So, you still have to do this (adding a hard-tuned token). Only you will make it very difficult for a certain person to reveal access and request tokens and methods.
It depends on the situation, but I would go for SSL and a hard-set token.
Additional protection:
- Release the access token to the application, which only needs to be sent periodically to request a token. The value of less random people intercepts a hard-coded token, but a session access token that expires. Maybe just do it once for each installation of the application.
- Encode this request token before sending it over the air. Keeping in mind, people should decompile your application.
- Obfuscate the code (make it more difficult to decompile).