You should create an API with Basic Auth or OAuth. You can’t rely on your URL because it can be caught in logs.
Check this course out

In addition to shayegh’s answer, you need to understand that every endpoint that you access within your application is public by nature. Everyone can access your server’s endpoint just as well as your mobile application (created by you) can. However, you can make your server’s endpoint protected by adding authorization requirements on your endpoint.

Authorization

There are many authorization protocols out there, OAuth, OAuth2.0, Basic Auth (credentials like email and password), etc. All of these are just ways to grant anyone access to resources in your endpoint. Think of it as a lock on your home door, only someone with a key can go into your house and make a mess.

Please keep in mind that this is a very simplified version of what authorization protocols actually look like, how it actually secures the distribution of access keys/tokens, etc.

Additional questions and answers

1. I tried to generate log files from my android phone, and I can’t seem to find the .php file from the log files. Is that possible for someone to decode the android app or the iphone app so that they can view my source code?

   Answer: I would always assume that everything that is happening on client’s side (mobile app, WebApp’s front end, etc) is beyond my control. That means anyone can access, read, tweak my client applications. With that said, I would assume that it is indeed possible for someone to unravel your android / iPhone app (get the source code) to get your client side keys.

2. How would this (OAuth/basic) help? Surely the person creating the other app would just add the OAuth/basic auth as well, wouldn’t they?

   In order for that other person to access the protected endpoint they would need to have access to your access tokens of the original app. On top of that, they would need to do it fast because usually access tokens only lasts for a short period of time.

3. Will using Basic Auth or OAuth key works if they are able to see my code?

   Yes and no, depending on your implementation, attackers might be able to unravel your app and somehow fetch user’s credentials or tokens from bad practices.

I have an android and iPhone app, and the apps are getting data
from my website based on some conditions they select on the app.

I created a secured url that is not open to the public (can’t be find on our website) and using a hash code that I thought was secure enough. Something like the following

http://test.com/data/get_data.php?key=akl;sd8234

The extra conditions they select in the app will be append as query parameters to the same url.

Base on the condition, the php file will then out data in json format.

However, I discovered recently someone else create the exact same app and actually getting data from my server, and from the secret url that I created. The reason I know is because I change something on that secret get_data.php page and it reflected on their app.

I don’t know who they get a hold to my url, is there a way to create a more secure way to pass the data from my web server to the app so others can’t steal my data?