I have an endpoint in which the server has to be sure of the authenticity of the client making the API calls. I therefore imagined the best way to do it is to include something like a digital certificate or a secret in the client which would have to be encrypted and distributed within the binary that goes to the AppStore. How could I add such a certificate in order for it to be safe? What alternatives would I have if not possible?
Apple helpfully provides a set of APIs that would allow you to store a certificate securely, and that would probably be what you should use. Past that, there is no way to guarantee that your certificate is not stolen by a sophisticated attacker; any key you distribute can be stolen, unless you are transmitting it over a secure channel to a trusted recipient.