Randomly generated url (even by a bad random generator like a human) is equivalent to an API key. Your exact same argument you made about the url can be made about a baked in API key.

Implement auth, do extremely basic auth if you have to using http basic auth over https and check against a hardcoded value on the server, it's not secure by any stretch of the imagination but is better than giving "api keys" to any intermediary that can do a string dump on your APK...