This is not possible. You should design your architecture so that this either does not matter or has a bounded cost.

Had a hunch this was the case, just needed someone smarter than I to confirm.

How do banks ensure nobody makes a phishing version of their apps?

They can't. If "no phishing" is a desired property, then it would be up to the distribution ecosystem to either carefully monitor for such products and deny them, or to at least allow some mechanisms for users to verify products themselves (such as SSL combined with URL bars do for general web traffic).

This is something that the BBC did with iPlayer: http://po-ru.com/diary/device-discrimination-on-the-internet...

I've not quite worked out how to implement it though

That is interesting, but surely the client-side cert could just be copied and used in a dummy app?

How about this:

1. Use the current GMT date/time to generate an encrypted api point like adfa923asdf.yourdomain.com. 2. Make it change every day. 3. For all other hostnames besides the correct one for the day, dump random data so the fake app cannot tell whether or not the api is giving out the right results for sure. All your apps will be pining the right api end point where as the fake ones will have a hard time catching up.

Also, use authentication on top of all of this.