I wrote a node-app which is supposed to be backend for native apps. For now I have an ios-app that communicates with the node-app. Later probably I also develop an android native app. Im concerned about who can make request to this app. The best would be if I can be 100% sure that this is a native app who is contacting my node-app. But: how do I accomplish this? By sending arbitrary headers everybody would be able to pretend being a native app. Is there a way to solve this?
If by solve you mean flawless security, then no. You should employ multiple strategies, take a look at this question. Generally speaking there can never be perfect security. You will have to carefully consider what is your level of acceptably leaky.