如何检查请求是否仅来自我的移动应用程序

这是不可能的。

REST-API 意味着您的移动应用程序正在向您的服务器发送 HTTP 调用。这些请求可以在设备上嗅探，并从任何其他客户端重新发送。没有办法防止这种情况发生。

您的 API 也应该根据开放设计原则进行设计，这意味着 API 必须是安全的，而不会使对它的访问变得秘密。

WHO 和 WHAT 之间的区别是访问 API 服务器

嗨，我有用 react native 开发的移动应用程序，它正在对服务器进行 REST API 调用。我们为登录应用程序的用户提供了身份验证令牌。

在我深入探讨如何将后端 API 锁定到移动应用程序的真正实例之前，我想首先澄清一个关于谁和什么在访问 API 服务器的误解。

我写了一系列关于 API 和移动安全的文章，在文章中为什么您的移动应用程序需要 API 密钥？ 您可以详细阅读访问您的 API 服务器的人和内容之间的区别，但我将在这里摘录其中的主要内容：

向 API 服务器发出请求的事物是什么。它真的是您的移动应用程序的真实实例，还是机器人、自动脚本或攻击者使用 Postman 等工具手动绕过您的 API 服务器？

谁是移动应用程序的用户，我们可以通过多种方式对其进行身份验证、授权和识别，例如使用 OpenID Connect 或 OAUTH2 流。

因此，请考虑谁作为用户，您的 API 服务器将能够对数据进行身份验证和授权访问，并考虑代表用户发出该请求的软件。

在你理解了这个想法并在你的思维方式中根深蒂固之后，你将从另一个角度看待移动 API 安全，你将能够看到你从未想过可能存在的攻击面。

将 API 服务器锁定为移动应用程序的正版实例

我想使应用程序更安全，这意味着我想验证请求是否仅来自我们部署的应用程序。我怎样才能实现这种方法。

我希望到现在为止，您已经对 API 请求中的 who 和 what 不相同有了充分的了解，这就是为什么很难锁定 API 服务器以仅向移动应用程序的真实实例提供请求的原因。

To lockown your API to genuine instances of your mobile apps you will need to apply a security solution that is able to work in tandem between mobile app and API server. The mobile app must use Runtime Self Protection (RASP) techniques, ideally with decision about the integrity of the mobile app and device its running on being made outside of the app and device, also known as Remote Mobile App Attestation (RMAA). The RMAA receives signals from the RASP running on the mobile app and makes decisions on the fly about the integrity of device and app, informing the backend of the app by signing a JWT token with a secret known only by the backend (not by the app) for successfully attestations, while for apps that fail attestation the JWT is signed with a secret unknown to the backend. This JWT is passed to the mobile app that adds it to the header of each API request and then the backend only serve requests that have a JWT signed with a valid token, and that hasn't expired. All other requests must be reject, because a JWT that fails a signature verification signals to the backend that it cannot trust in the request, while its absence means that the request is not from the mobile app at all.

want to know the solution how can i achieve this .

I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.