I want to use HMAC to verify data integrity transmitted between our IOS\Android mobile app and API,I want to prevent data tempering either by authenticated user or man-in-middle, completely trustless.
I know we need a shared secret key to be used by both mobile app and server, I know we can establish key exchange by RSA, But want to sure this exchange come from mobile and not Postman or keys can intercepted by a proxy.
Should I have a secret key embedded inside mobile code and server? What do you recommend for a complete trustless mode? API can be used completely by postman and We want to make sure requests sent by our mobile app and data not altered at middle. it is a web3 app, so no authentication like traditional user and pass.
There is no guaranteed way to be sure the code has not been tampered with on the client device. Anyone who has physical access to the device is assumed to be able to execute arbitrary code on it, and so you can't guarantee that someone hasn't changed the data with a proxy.
Furthermore, in general, you would want to avoid embedding secrets into your code, including for HMAC. Anyone could disassemble the code and extract them.
Since you're presumably using TLS for your server, you could try to pin your CA certificate in the app, which could be bypassed, but would be more difficult. If you wanted to allow only trusted clients, you could then issue the client an HMAC key to sign its requests or have it create a TLS key and then issue it a certificate chained to an internal CA that it used for mutual TLS. Both of those would allow you to control the clients and revoke their access in the future, but you'd still have to come up with a way of determining whether the client is trusted.
My advice here is to not worry about whether the binary itself is trusted and just implement features like throttling, credential revocation, and other abuse prevention mechanisms so that even if there are unauthorized clients, they can't do much damage.