Kryonet: Can I trust the client? (Beginner question)

I have a turn based game where the user clicks a button in the client, the client sends a message (an object registered with kryonet that is), the server then has the user’s hero perform an action depending on the message.

In theory, if the client sent another (correctly formatted and expected) message, the server would accept it without questioning. For example cast a fireball targeting all enemies, when it should only be able to target one.

It isn’t possible to cast let’s say a spell you haven’t learned, but I’m sure it’s obvious what the problem is.

Currently it’s impossible for the user to be able to send unexpected messages through the client, the server tells the client which messages it should be able to send at any time, but it is not guarding against the client not confirming to that.

Is that secure enough or should I be afraid of users somehow hacking the (android) client?

Also, is there a standard way to handle this? The range of dealing with this goes from just accepting the (hacked) messages, terminating the game (meaning I assume anyone sending a wrong message can’t be innocent), giving the user feedback and chance to re send correct message, or ignoring the message and trying to come up with a game fitting interpretation (fireball - all is interpreted as fireball - single), with the last being so much work, I can’t imagine it to be standard.