1. Don't share the URL. That's the easiest thing to do, and your first line of defence.
2. Don't set ServiceURL in Designer, set it in blocks - not a normal text block, but an OBFUSCATED text block. Another layer of security from anyone tearing up the APK.
3. For all your tags, use a specific naming system with a keyphrase at the start. To store login detail, for example, you could do "sysadmin/passphrase/username" as tag, where passphrase and username are upto you of course. In the app, while joining strings for assembling the tag, again, put passphrase in an OBFUSCATED text block. This should prevent others from reading your data.
Don't hesitate to share your own ways, this is by no means an exhaustive list.
Happy Inventing,
Kanishka