You can probably run some sort of dyndns client on android. I'd think maybe in something like termux.
Otherwise, check out mutual-TLS, also known as client SSL.
We use SSL all the time for servers, but the same can be done for clients.
I run eveything behind an nginx reverse proxy that handles all that with the ssl_client_verify directive beefier proxying the request to the different services.
You generate a cert that's to be installed on the phone.
On a new connection, the server will challenge the client for its certificate and just drop eveything else.
I'd say it's as secure as doing VPN with PKI, but without having to keep the vpn running.
A few caveats: not all apps and browsers support mTLS.