My question is this: I have a Rails server and I make queries on that server using an Android application. If I were creating a web system, I would use session to manage the permissions of my system. However, as I have the application, I make the constraints within it (if the user does not log in, they will not have access to the system).
The fear I have is for someone to use the routes I've created in Rails to access restricted data from users and to insert data fraudulently. Is there any way around this?