Best practices for securing mobile app API and implementing rate limiting ?

Hey everyone!

TLDR: Building a mobile app with free API usage limits. Planning to use API key + IP rate limiting + UUID tracking. Looking for feedback and alternative approaches.Would love to hear your thoughts and experiences! Thanks!

I'm developing a mobile app that uses OpenAI's Whisper API for audio transcription. I'm looking for advice on securing my backend API and implementing rate limiting for free users. Here's my situation:

My App's Context:

  • Free tier with limited usage
  • Uses Whisper API (I pay for each transcription)
  • No user accounts (anonymous usage)
  • Local storage for transcriptions

My Concerns:

  • How to ensure API calls come from my app only
  • How to implement rate limiting for anonymous users
  • How to prevent API abuse without adding too much complexity

Current Planned Solution: After research, I'm planning to implement a three-layer approach:

1.Basic API Key :

Pros:

  • Blocks unintentional access
  • Stops automated scanners
  • First line of defense

Cons:

  • Can be extracted through app decompilation
  • Not a perfect security measure

2. IP-based Rate Limiting :

Pros:

  • Limits mass requests
  • Easy to implement
  • Effective against basic abuse

Cons:

  • Mobile IPs change frequently (4G/WiFi switches)
  • Shared IPs (corporate networks, universities)
  • Can be bypassed with VPNs

3.Device UUID Tracking:

Pros:

  • Helps monitor usage patterns
  • Provides analytics
  • Additional rate limiting layer

Cons:

  • Can be reset/modified
  • Not a security measure

Questions :

  • Is this approach common/reasonable for mobile apps?
  • Are there better alternatives I'm missing?
  • How do other developers handle this?

Alternative Solutions I Considered:

Google's Play Integrity / Apple's App Attest :

  • More secure but complex
  • Mixed reviews about reliability
  • Might be overkill for my use case?

Free "Consumable Products" :

  • Too much friction for users
  • Overcomplicated for free features

I know perfect security is impossible on mobile, but I want to find the right balance between security and usability.

Would love to hear your thoughts and experiences! Thanks!