It' s very difficult to prevent people from seeing what URL backend you are using. I would argue that is impossible. If they can't decompile the APP, they still could use a PROXY to inspect traffic from the Android APP to your server.
I would put some stuff to make it more difficult though.
Off the top of my head, you could:
- Use a CLIENT_SECRET: a compiled string in the Android APP that your server needs to validate in order to make the account creation.
- Use HTTPs (it will make more difficult to use a PROXY to inspect HTTP traffic)
- Al alternate way of doing (1) is using CLIENT_SECRET to locally encrypt the payload you are using to create the user
- Check for a specific USER_AGENT on the HTTP REQUEST