Can someone detect the URL an android app uses?
HTTPS (i.e. SSL/TLS) encrypts all HTTP communication including the entire URL. HTTPS does not protect the domain name as this is sent to the DNS in the clear, but it does protect the rest of the URL. Other apps don't have access to your app's SSL/TLS encrypted traffic including URLs. So as long as the SSL/TLS connection is setup securely an attacker won't be able to obtain you URI from the traffic.
But from the last sentence you wrote ("I know how to obfuscate and hide the URL in the code, so it can't be seen by decompiling the app") I understand that you need to protect the URL against an attacker who has full access to the device (e.g. the owner of the device). In this case you can't rely on SSL/TLS connection being secured as it's possible for the atttacker to install his on CA certificate on his device. This completely nullifies the security of SSL/TLS, as the attacker can impersonate your server and perform a man-in-the-middle attack - just like Alexey V. Borodin's hack on Apple in-app purchases. Even if you use a hardcoded SSL certificate the attacker can root the device and modify the O/S to output all SSL/TLS communications in the clear. So HTTPS will not protect your URIs from an attacker running your app on his own device.
- Set up an ad-hoc network on a computer.
- Make your phone connect to the newly created network
- Use Wireshark to see what connections are made
In an HTTPS connection the URL data is encrypted. The IP address and port of the server being connected to can be easily enumerated using a packet sniffer, so chances are if the URL can be sniffed the server isn't going to be a secret. Data transmitted within a https (ie SSL/TLS) connection is secret as long as there is no Man in the Middle, see previous discussions about that subject.
If the object is to try and prevent anyone from seeing what system the app is connecting to then the only conceivable way to do it is to tunnel the traffic through a VPN of some kind, and hope that any listener can't sniff the traffic coming out of the other side. Sending your traffic through some sort of anonymizer would accomplish this.