I want to restrict access to my GAE backend only to my Android app. I don't want the authentication to be user-based, and I certainly don't want the user to provide their Google account credentials, or any credentials at all. I just want my GAE API to be accessible to my app only.
There are several questions in StackOverflow for this, but I have not understood what is the process.
The GAE Documentation expectedly describes the server-side of things, and does not provide any snippet for Android clients.
I have stumbled upon this Android developers blog post and this Google Cloud Platform sample project, both of which have an awful lots of things to do in order to authenticate (using the user's email address), which seems an overkill. When I generated the client ID for Android, in the Google Developers Console, I specified both the package and the SHA1 checksum from the application's keystore. I was under the impression that they would somehow suffice to identify the app to the server in a more transparent way.
Are the above links the way to go, or am I on the wrong track?
You really can't "Restrict GAE API (Endpoints) to Android app" as of right now. The reason is that a hacker could potentially decompile your Android app and view any type of client keys or other credentials and then have full access to your cloud endpoints api methods.
Is this likely? I am not sure. You would have to do your own research on that. It would depend on many factors such as how well known your app is, how determined the hacker is, etc. For example, Snapchat uses GAE and it had many problems with security where hackers were able to access their API to make 3rd party apps. I imagine it involved some sort of decompilation either of the Android or iOS client.
Take a look at a question (and comments) I asked a while ago that is similar. All Cloud Endpoints is, is a way to create a restful API. Uniquely identifying only your specific Android application is the real problem: How to uniquely identify your Android app for rest API