The users of my app do not need to signup or do anything like that, and they can use the app as soon as they install it on their phone.
How can I prevent others from using my web apis/services and restrict it only to my app?
To give a more concrete case, lets say I am using Firebase Realtime Database service. How can I prevent others from using this service on my behalf?
How can I prevent others from using my web apis/services and restrict it only to my app?
You mention web here and in the tags for this question, but it's not explicit that you are referring to a web app or a mobile app.
The users of my app do not need to signup or do anything like that, and they can use the app as soon as they install it on their phone.
Form this I am assuming that you app is a mobile app, because of this sentence: they can use the app as soon as they install it on their phone, and assuming that when you refer to my web apis/services you are indeed referring to a REST API and to third party services like Firebase, that you also mention in the question.
How can I prevent others from using my web apis/services and restrict it only to my app?
By others you seem to mean another human being, the who in the request, but you may want to say instead what software/script/bot is trying to use my web apis/services.
Knowing the difference between what is doing a request to your API server vs knowing in behalf of who the request is being made it's crucial for understanding what security posture and defenses you need to apply in your use case.
I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you I go in more detail about the difference between who and what is accessing your API server, but I will extract here the main takes from it:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
You can think about the who as the user your API server would be able to Authenticate and Authorize access to the data and think about the what as the software making that request in behalf of the user.
In your use case the who is not relevant, because you don't have user authentication in your mobile app, thus you need to find a way to identify what is doing the request. So you are looking to lock down your API server to your mobile app, and you found yourself a very challenging issue to solve.
How can I prevent others from using my web apis/services and restrict it only to my app?
For the API server to have a high degree of confidence that what is doing the request is indeed your genuine mobile app, and not a bot/script or tampered version of your mobile app, the Mobile App Attestation concept can be used/implemented, and I invite you to read my reply to the question How to secure an API REST for mobile app? on the section for A Possible Better Solution to understand this concept.
NOTE: Just in case you indeed have a web app, and not a mobile app, then I recommend you to read instead this other answer I gave to the question How to secure own backend API which serves only my frontend? and read the section Possible Solutions.
To give a more concrete case, lets say I am using Firebase Realtime Database service. How can I prevent others from using this service on my behalf?
I am not an expert in Firebase, thus I will point you to this answer for the question Locking down Firebase DB access to specific apps.
It seems to me that Firebase security is implemented around security rules and user authentication:
A common first step in securing your app is identifying your users. This process is called authentication. You can use Firebase Authentication to have users to sign in to your app.
But you don't identify who is using your mobile app, thus their first steps doesn't apply to your use case, but it seems that they support anonymous user authentication:
You can use Firebase Authentication to create and use temporary anonymous accounts to authenticate with Firebase. These temporary anonymous accounts can be used to allow users who haven't yet signed up to your app to work with data protected by security rules.
So this may be your best chance to go with in terms of locking your mobile app with Firebase.
In a nutshell it looks like Firebase doesn't have any built-in functionality to identify what is doing the request, because their focus seems to be more in who is doing the request, but once I am not an expert on it I advise you to take this statement with caution and do your own research.
When applying security rules you may want to take in account the resolve insecurities page and use the Firebase Simulator to test the different rules.
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
