I am building an app that will make HTTP requests to a server. I would like to know that the requests are coming from an app downloaded from an iOS App Store, or Android App Store. Is there any way to do this?
Maybe some kind of API on the phone allows signing with some Certificate Authority that is itself signed by Apple's Root Certificate Authority? Or something similar with Android?
Or maybe there is some way to use the "Advertising Identifier" like this but not running afoul of this ... is there something like this for Android?
I need this mostly to prevent sybil attacks (people making millions of accounts without buying a million iPhones).
But perhaps even more importantly, I want the app to establish an account on the server, and not let some joker send a request to the same server to override the user's "udid" willy-nilly so the app can't connect later. I guess I can prevent this latter thing by just saving a cookie or localStorage in a web browser under browser tabs and hope it doesn't get cleared.