I know this question may seem a bit malicious in nature, but I'm just trying to learn best practices in Android/mobile app development, and security is definitely a big issue in software. If you still, after reading this question (!), think it is malicious in nature, just keep in mind I'm not asking how to implement any of these attacks, I'm just asking which attacks a good Android/mobile developer needs to be cognizant of.
Below is a list of the "official" OWASP Top 10 security threats for applications (link is here). I was wondering which of these (if any) apply to Android development, or if there are any other major attacks not listed here:
Please note: I'm not talking about websites that are built for being displayed in mobile devices. I'm talking about actual applications that are deployed on mobile devices. In the case of Android, this means APKs.
It's hard to answer your question in specifics because from what you've posted you are curious about your Android Application and your Java server, but you're asking a very generic question. Much of what the OWASP has published is very high level so getting any real substantive answers is going to be hard without knowing the specifics of how your Android application and server work. Generally, people aren't going to attack a phone when they can go after the server and own all of the data that will pass through all of the phones not just a single handset.
So injection, XSS, CSRF, etc mostly apply to the server side. You could perform injection into the Android SQLite database if your program uses it (see how the specifics of your app come into play here). XSS, CSRF could apply if you app is a web based client, or using webview for any part of it (again specifics matter).
Injection on the server for Java can easily be remedied by using PreparedStatements/PreparedCall. Don't use Statement. If you're using JPA, Hibernate, iBatis most of these use PreparedStatements under the hood. Injection in Java apps is easy to thwart those attacks:
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
XSS and CSRF are harder, but can be prevented using a filter. Read down this page, and you'll see where there is another link to the project that describes it.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Sending passwords over an insecure connection. If you send a password over HTTP or non-SSL socket then you're going to be disclosing too much information (using one-way hashes doesn't help because I don't need to know the password. All I need is the hash and that's transmitted in the clear). So make sure you are using SSL for authenticating users. Then we can get into how you are storing those passwords in your database. Are you using a one-way hash? Are you using bcrypt? If not are you using SALTs? Are you iterating on the hash to increase the time it takes to break that hash?
Most break-ins involve getting access to the underlying database through vulns in the OS, database, SQL injection, etc. Grabbing the table storing the user and passwords. Then run a super fast brute force method using simple off the shelf graphics cards to brute force passwords. Most one-way hashes can be broken today using this method if you don't take care to protect your passwords appropriately.