Mobile App Avoiding or Securing CORS?

CORS is a standard for instructing browsers on what to do when a page from another domain tries to access your domain.

The key term there is browsers. Anyone can construct a request (forging whatever headers they like, including Origin) that hits your server. What the Same Origin Policy and CORS rely on is a cooperative browser placing limits on what foreign scripts can do.

So the news is good. Since your code runs in a private web view in an app, you presumably don't face the risk of a foreign site running code in your view. (As opposed to browsers, where many domains run code in the same browser.)

So, as long as your code is running only on the app, CORS does not make your site any more or less vulnerable than it would be otherwise.

While, OAuth is the enterprise/long term solutions. For a weekend project,

Can you think of restricting the methods to only GET or few which is needed, and also provide access to only specific resources?

Here is one workaround I used.

I had a similar problem for an angular js application on tomcat to interact with a restful, back end application.

I created a java application and hosted on the same tomcat where angular was hosted. This java application made calls to backend.I later replaced the tomcat/java application with grunt and nodejs. Worked good.

nodejs, relay requests was 4 lines code :-)