I'm currently building a mobile application (iOS at first), which needs a backend web service to communicate with.

Since this service will be exposing data that I only want to be accessed by my mobile clients, I would like to restrict the access to the service.

However I'm in a bit of a doubt as to how this should be implemented. Since my app doesn't require authentication, I can't just authenticate against the service with these credentials. Somehow I need to be able to identify if the request is coming from a trusted client (i.e. my app), and this of course leads to the thought that one could just use certificates. But couldn't this certificate just be extracted from the app and hence misused?

Currently my app is based on iOS, but later on android and WP will come as well.

The web service I'm expecting to develop in nodejs, though this is not a final decision - it will however be a RESTful service.

Any advice on best practice is appreciated!

Simple answer: You cannot prevent just anybody from acecssing your web site from a non-mobile client. You can, however, make it harder.

Easy:

• Send a nonstandard HTTP header
• Set some unique query parameter
• Send an interesting (or subtly non-interesting) User Agent string
• (you can probably think of a few more)

Difficult:

• Implement a challenge/response protocol to identify your client
• (Ab)use HTTP as a transport for your own encrypted content
• (you can probably think of a few more)

Of course anybody could extract the data, decompile your code, replay your HTTP requests, and whatnot. But at some point, being able to access a free Web application wouldn't be worth the effort that'd be required to reverse-engineer your app.

There's a more basic question here, however. What would be the harm of accessing your site with some other client? You haven't said; and without that information it's basically impossible to recommend an appropriate solution.