I have a Node.js server that will handle requests from my flutter mobile application. The flutter application uses http module to send the requests to the server. The Node.js server uses CORS. How do I make sure that my server only accepts requests made from my mobile applications ?.
I noticed one method is to use an In app API-Key that is generated in the app and it must be sent to the server. If the API-Key is valid then the server responds with the appropriate response. However my sole problem is if anyone intercepts those http requests made from the mobile application, they can look at that API-Key and mimic their own http requests as though it is coming from my mobile application.
Another solution posted was to use something like OAuth. But I am not sure if that's a solution, if it is then please explain how I would implement it.
Another solution that was shown was to use some sort of SSL. But it requires a certificate or something and I do not understand how it actually works nor do I know if it can be used with flutter apps.
Please provide any other solutions to this problem that you think is apt.
Recently Firebase released a Service called Firebase App Check Please have a look. It may resolve your problem statement.
https://firebase.google.com/docs/app-check