How to Ensure Integrity and Origin of Client-Generated Data in Mobile App?

I'm developing a mobile application where one of the core functionalities involves the client sending travel distance and travel start and end times to the server. Due to the nature of my business requirements, the server has no way to independently verify these values.

The security and integrity of this data are paramount. I need to ensure that the request originates from a legitimate instance of my mobile app (i.e., not from a rogue client like a manipulated version of the app or a curl command from a console), and that the data sent by the client hasn't been tampered with.

While I'm currently using HTTPS and JWT authentication with refresh tokens, this doesn't prevent a malicious user from using their JWT token to send false data from an illegitimate client.

I've considered using client-side certificates but the distribution to each instance of the mobile app seems overly complex and potentially unscalable. I'm also aware of techniques like Diffie-Hellman and HMAC, but they seem to have similar issues.

How can I ensure the integrity of the client-generated data and confirm that it's coming from a legitimate instance of my mobile app? Are there established best practices or patterns for handling this kind of situation?

There are some good practices you can use along the way, but all they can do is discourage attackers and they do not offer 100% security. The best thing you can do is to look into how banking apps are protected, as the requirements for these are similar to yours. So let's try to enumerate what you need to take care of:

1. Use TLS to protect the channel (no-brainer).
2. In the application implement a check if it runs on a rooted device. If so, stop processing. Rooted devices are used by attacker to learn about how the app operates.
3. Pin the TLS certificate on the mobile application side. This will make the MitM attacks much harder to perform. Learning about your endpoints can be way harder this way.
4. Obfuscate the binaries. The attacker will try to search the binaries through trying to disable certificate pinning and rooted devices checks. Make it harder this way.
5. (optional) as another layer of defence you can also put some secrets into the application and calculate some HMACs based on request content and secert. Again, this offers no ultimate protection, but together with obfuscation the bar will be raised higher.