I have two applications both Android and iOS communicating to one back-end Node.js server. Is there a way to only allow requests from these applications? Like some sort of API key method? I tried to think about ways of filtering requests from only these applications but I guess I'm stuck.
We do have a login for authentication token system but what's stopping users from taking that same token and abusing requests with an external application?
I'm thinking about encrypting all requests from mobile app and decrypting in the same manner on the back-end but fear about a lot of computation required. And what's to stop users from taking that same encrypted request and abusing it as well?
I guess what I'm looking for is some good security practices that can prevent such abuse without too much hindrance on the efficiency of the backend.