Looking for a way to see how I can make sure that requests that originate from my mobile apps are only served by my server API.
This is to enable guest users to get to see the app but not get data exposed out for use by BOTs.
Is there an Android or iOS app property that helps with creating requests that help with this?
Looking for a way to see how I can make sure that requests that originate from my mobile apps are only served by my server API.
As it is phrased now I read it more like that you want to ensure that you mobile app only sends and receives requests from your API server, not from an attackers API server pretending to be yours, or from an MitM attack. If this is the case then the solution is to add certificate pinning to your mobile app, but this should be always added to any mobile app.
I think what you mean here is that you want to ensure that your API server only replies to requests coming from a genuine instance of your mobile app. If this is the case then you are looking to lock down your API server to your mobile app and you have here a great challenge and several approaches to take.
To implement certificate pinning in your mobile app I recommend you to read the article Securing HTTPS with Certificate Pinning:
In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.
In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.
So the article will guide you through an actual implementation of certificate pinning in an example app that you can find in this repo.
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Securing the API Server and A Possible Better Solution.
I saw this in one of your comments to another answer(you should also add it to your question):
I am looking at a secure way of creating an encrypted key in the app that can only be decrypted on the server.
You can indeed create one securely with the help of the Android Security Library:
The Security library provides an implementation of the security best practices related to reading and writing data at rest, as well as key creation and verification.
I go in more detail about in this answer for the question Store Client Certificate and key (.pem) in Android securely, that contains some code samples.
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
You can pass the package name (Android)/Bundle identifier(iOS app) of the application in req. params to validate the request from your app only.
In this way you can check the bundle identifier/package name on your server and based on that you can restrict the user to allow/disallow api usage.
Another way is the user of api key/token.
you can create the unique token/key on your server and given to the mobile app developer and ask then to send that in every api request.
So when you get the request on server you can validate that api key/token on server. If key/token is not valid then disallow the user to access your api.
