Hybrid apps are obviously a bit new, so it's hard to find good information on this. I know that I need to allow cross origin resource sharing on my server side pages, but this clearly adds a security flaw. On a phonegap/cordova app, I only have client-side control with ajax calls to my server-side page. This means that anyone can access my php pages. This means that anyone can essentially mimic my app by accessing all my data like account info, etc. My question is how can I confirm that only my app is accessing these pages? Please provide specific coding examples.
I answered your question, and many others like it, in this blog post: Client authenticity is not the server's problem.
One of the most basic rules of application security is input validation. The reason this rule is so fundamental is because your server only has control (and visibility) over the software running on itself. Every other device on the Internet is a black box that you can communicate with over networking protocols. You can't see what it's doing, you only see the messages that it sends.
...
The server should remain agnostic to the client.
The software on the client and the software on the server should have a mutual distrust towards each other. Any messages that the server receives should be validated for correctness and handled with care. Data should never be mixed with code if you can help it.
...
The take-away is: Instead of trying to control your users, focus on making their misbehavior inconsequential to the stability and integrity of your server.