I'm trying to implement a way to communicate with my backend-server and be sure that my backend only answers, if it's my application which is calling.
So my idea is, that i just send the SHA1/MD5 fingerprint with the HTTPS POST request and verify it on the backend server. If the fingerprint matches, the server will answer.
So my first question is: How do I get these programmatically at runtime? Is it even possible?
The second question is: Can it be that easy? Or do i really have to set up an OAuth-Server (or use the google-api)?...The thing is, that I think that OAuth is a bit overkill for my use case and I don't want to handle the expiration/refresh-token stuff.
What you're trying to do is impossible. Anything you send to the server as an id can be copied by another application. That's why you have user's with passwords that aren't in the application- the password from an outside source is the only way to be sure the request is valid. And that only proves the user is valid, not that its from your application.