Protect data so only verified client can read

Question

I am creating a REST server that will be holding a decent amount of proprietary information. I want users to be able to access the information in only the intended way, which is through a map built into an iPhone/Android app. I require a verified email registration to access the server. I will be rate limiting the amount of information any identity can receive, however I want to take it a step further and prevent (or at least try to prevent) an identity from pretending to be my app and grabbing the information in plain text.

A successful example of this is Spotify, you can download as much music as you want however it is difficult(impossible?) to get at the files unless you are using one of their clients.

I have seen questions like this saying it is impossible: https://stackoverflow.com/questions/32084631/how-can-you-lock-down-so-only-your-android-client-can-interact-with-your-parse-p

However they do not explain techniques that companies like Spotify use to at least obscure the data. I am also ok with only holding one request at a time on the client and requiring that they are online in order to view the information.

tl;dr: What is a good way to ensure REST communication with a verified client(Android/iOS), and decrypt the information so that only my app can use it?

Answer 1

You could encrypt the information, I dont know much about this, but what I do know that there is a book called java with jax-rs which deals with the authentication you are talking about.