I am facing a programming challenge which I do not know how to solve in a most appropriate way.
We are programming an Android App which is using an API we are providing for this purpose.
While the data the api is providing is not secret, we still want to limit the amount of requests a user can make. Per requests a user can get search results for about 10-20 items around their location. We would like to avoid someone to just use the api and get the entire database by sending requests for various locations.
An important feature of the app is that it works without registration.
So here is my challenge: how can i identify individual devices the app is installed on and verify those are real devices? I could have the app send e.g. the IMEI number with each request, but I would not be able to verify on the server side the IMEI is real and not faked.
Is there maybe a download verification token which gets generated when the app has been downloaded from the PlayStore? This way individual installations could be identified and blocked if that token makes malicious requests.
I would just like to achieve that only real app installations are being allowed by the API, and that bots, Dos attacks etc. are being blocked.
I would appreciate any hint to the right direction.
Cheers,