Do I have to protect Database ID?

[Monospace Software]

Otherwise, what stops anyone that knows Database ID from creating Users?

[maxkatz]

In general yes. However, it's more of a general problem for mobile web apps -- for any other API it's the same problem.

If you are building a hybrid app, it's more secure as it's not as simple to view the page sources.

We are working on a server-side solution where the API keys will be saved on the server and never visible in the client.