I am building an application that has auth system and a lot of post requests,
I want to know how to make my backend endpoints accept only requests that are coming from my application, not from anything else like Postman.
What I was thinking of, is saving a secret on the client’s side that is to be sent with each request to the backend, so that I can make sure the request is coming from my app.
I know that anyone can access my app source code if they extract the APK file and my secret code on the client’s side will be known.
To solve this, I read that I can make my code unreadable by Obfuscating it ( I still need to figure out how I am going to do that on my EAS build ).
And I have to use JailMonkey to detect if the device is rooted.
Also SSL pinning.
I am using Expo secure store to save my sensitive info on the client side.
Is this approach good enough, is there anything I am missing?
I have zero information about security, this is just what I learned through searching.