secure mobile app to communicate with web app, determine it is actually the mobile app communicating

Question

I want to be sure that the client asking for HTTP get requests at my web app server is coming specifically from my mobile app and not from anything else. I have considered different options and still have not come up with anything. Most importantly I do not want there to be user interaction, I want the mobile app itself to handle this. The best I've come up with is having a secret key on the mobile app that the web app has prior knowledge to, but if the mobile app was ever decompiled or the key was uncovered somehow then this would be useless. Communication between the two is encrypted in AES 128bit CBC cipher with a random IV-- which is passed back and forth in plain text and changes after each transaction.

Is being certain communication is coming from the mobile app something that is simply not possible, logistically, and requires human intervention-- such as requiring the user to type in a password that they remember and that is already set up on the server?

Ultimately the mobile app updates a database on the web app server and so I want to make sure the requests are being made from the app and not someone posing as the app.

Answer 1

This can never be possible. This is due to the fundamental property behind CWE-602: Client-Side enforcement of Server-Side Security. There is no way for you to dictate the behavior of clients. Nothing is preventing the user of your software from attaching a debugger and reading memory or modifying your client.