This would be my approach:
- Never worry about the security of your Android app. Is the client side after all. But we can obfuscate the compiled code.
- Encryption for communication, using https. This may include updating your app and backend.
- Setup the firewall in your server.
- Check mysql, and server.
- Check for obvious sql injection and any other normal exploit route.
And in general a revision of each version of libraries you use in your code an server.
Please keep in mind, that trying to encrypt your android client is useless. The client can always be faked. But, if there is the case that the USER should be protected against a third party, only there we can do something.