If anyone trace the requests and responses, Can he get the token from headers?
If an attacker is in a suitable position to perform a MitM (Man in the Middle) attack and is able to intercept and view the requests, then yes, they can get the token from headers. To prevent this, make sure that the REST service in use is using SSL/TLS. This will prevent MitM and replay attacks. The REST service must also make sure that these tokens are properly invalidated on the server-side once the user logs out and there should be a hard session time-out associated with these tokens.
Where should I store token in android client?
You can store them in your application's SharedPreferences. Read this answer for more details on it.
If I store token in somewhere like SharedPreferences and user access that He can send fake request to server!
Yes, a user can do that with their own session token. That's exactly what the token is used for. As far as accessing a limited controller is concerned, it is the responsibility of the service to make sure that the access control is proper on the server side and that user is only allowed to perform controlled requests to a particular endpoint.
The problem is, if an attacker gets hold of your valid session token, they'll be able to impersonate you on the application. But you've just made their task difficult by using SSL/TLS everywhere and by ensuring that application does not leak the session token in any way (for example, in the request URLs).