How to defend my client/server from abusing and badly usage?

So I played around and created some very nice mobile app using ionic/angularjs. I implemented my server using MEAN-stack - using express.js web framework to run a REST api, behind the scenes connecting to my locally MongoDB. I have a very nice API i created, mostly GET /a/b/c/d/.... that returns me json data to my client, and from there I show & manipulate it as I desire. end2end is working great, so I have my ionic files served at port X on my server with port forwarding, making it available at http://my-ip/, and my expressjs/nodejs server running on port Y on my server with port forwarding, making it available at http://my-ip:Y/

Basically anyone who does some port scan on my ip can see that those two ports are open, navigate to there and do what he wants, see the api my code is doing and basically hacking my system, entering false date to my system, as my entire API is available in my ionic's JS code.

What measures can I take in order to prevent such possibly bad behavior? The only thing I can think of, HTTPS, is nice as if someone is sniffing my traffic, he wont see the exact API I use, but still, accessing my client-code can easily show the API anyway, and even there I dont understand how Im protected.