For example, classically:
1. RSA for key exchange for symmetric encryption
2. Some symmetric algorithm for encrypting data with the received
key The symmetric encryption key is valid within the session

Should you clarify what you need it for?
If you protect the user and the transmitted data, then the usual https is enough. Well, in any case, VK thinks so, and their applications have enough users.
If you are trying to protect the API itself, then you can forget about Android right away. Absolutely everything is sorted out, and then restoring the full API structure becomes just a matter of time. In fact, I have yet to come across an Android program from which it would be impossible to extract the API structure.
Perhaps, by moving the API to the native part using the Android NDK, you can get something secure, but I have not seen such solutions yet. Even private APIs are written in plain Java + sometimes (rarely enough) they are processed from above by an obfuscator, which only slows down parsing.

as an option, for applications that have an account:
when installing the application, a key is generated and sent as the first request to the server. Thus, the client and server have symmetric keys, from another application there will be no way to access your data.
we had a platform for the distribution of mobile applications. We individually sewed a key into each purchased application, but it is difficult and I do not advise
or as suggested by RSA,