Can someone figure out your API endpoints? Yes.
There are various ways to figure your endpoints out, I will mention the two relatively easy ways:
Setting up proxy for phone and inspecting requests:
- Attacker connects phone with your application installed to their device.
- Attacker installs their own certificate on the phone and proxies the traffic through their device, where sniffing software is running.
- Attacker is now able to see outgoing and incoming request in plain-text even if your endpoints are behind HTTPS.
Reverse engineering your application from APK
- Attacker downloads and installs your application like any other user
- Attacker acquires APK of your application (it is possible to do this by
adb
tool)
- Attacker uses tools like APKTOOL, dex2jar and JD-GUI to acquire and inspect the source code of your application.
Attacker would then look for the strings in your application and eventually they would figure out your endpoints.
Obfuscation, as advertised by other answer, does indeed help to hide your endpoints, but it does not prevent anyone from discovering them. As a general rule of thumb, you should never rely on obfuscation to hide anything that you consider a secret.
Can someone misuse your API endpoints? That depends.
If all your endpoints are used to deliver otherwise publicly available content to your application, then misuse is probably not gonna be an issue.
But let's say that you manually pick the content that will be delivered to the users of your application and the users buy your application, because they want to get an access to your hand-picked selection of content.
In such case, someone can misuse your unprotected endpoints - they can access your hand-picked selection of content and provide it to other users without paying (or for less money then the users would have to pay to you).
Answer to your second question really depends on what you kind of information you provide on your endpoints and how much you, or your users value it.