How to authenticate client application for trust of messages sent from it

Question

The basic question
How do I know that it is my publicly accessible (client) application that is sending my service messages? How do I know that it is j

Answer 1

Impossible.

You can authenticate users, but not the application.

Let's say you decide to digitally sign the application. This signature is then read at runtime by your client application checking its own executable binaries against this signature. There is nothing that prevents the adversary from simply removing this check from your application.

Even if you make it close to impossible to reverse engineer your application, the adversary could always look at the communication channel and write an imposter that looks indistinguishable from your client to your server.

The only thing you can do is validate the actions on the server against a user identity.