I have a REST web server that serves the requests from Android devices where I write both server and client codes. Here I want to control and limit user requests based on an account whitelist. For example, I accept all requests for the URL A from any users, but I accept the requests for the URL B only from the user { admin@gmail.com, johndoe@gmail.com }.
Of course, sending a user ID as plain json text is not a desirable solution because the client can be breached. Is there more secure mechanism available in Android; like the device sends a private information of the logged-in account and the server verifies the user identity?
If you have some type of authentication system, like a simple login, one possible solution could be using a generated token to represent a user session. That way you can control user access without sending sensible information such as the user ID and in case the client is breached, you just revoke that token.