My use case is the following: I want to create an app with React Native that I can deploy on both iOS and Android.
The app should consume an RSS feed (https call) from the server but there is no need to have authorization in place. The output does not depends on the user.
I was trying to look around for ways to have some form of security for my server to be sure that the caller is my mobile app.
For this use case, is it certificate pinning enough or do I need something else in your opinion?
The app should consume an RSS feed (https call) from the server but there is no need to have authorization in place. The output does not depends on the user.
In this case I'd consider the need for an app at all... But that's not important.
I was trying to look around for ways to have some form of security for my server to be sure that the caller is my mobile app.
No, it would not be. It would make it more difficult to discover the endpoints used by your app, but still trivially doable. Replacing the certificate and rebuilding an APK is rather trivial - and it's enough that one person does it.
You can use Safetynet attestation or Devicecheck for IOS to verify that the device is not compromised, and verify your app integrity. Note that this is not foolproof either, but it raises difficulty somewhat.
Ultimately, your problem is unsolveable. The moment the data leaves your server, you have no control over how it's used anymore. You can make it somewhat difficult, but it can be broken. Hollywood has spent the last 20 years trying to implement DRM - but name a movie released in the same time span that has not been pirated...
