Implementation of HTML5 hybrid app sending AJAX request to PHP server with respect to web security

Question

We are investigating the possibility of creating an app with one code base that can be run on our webserver (as a HTML file and Javascript) and also as smartphone apps (iOS/Android, compiled from Intel XDK). Because of this approach, we can only use HTML, CSS, Javascript. Our current study is connecting to our server using AJAX to invoke a PHP file on the server that echo the same data back from the client Javascript side.

Currently we are testing with the following codes, borrowed and modified a bit from https://stackoverflow.com/a/5004276/144201:

HTML:

<html>
<script src="jquery.js"></script>
<script src="ajaxphpjquery.js"></script>
<form id="foo">
    <label for="bar">A bar</label>
    <input id="bar" name="bar" type="text" value="" />
    <input type="submit" value="Send" />
</form>
<div id="result"></div>

JS: (showing only the AJAX request and Receiving data back part. We use jquery.)

    request = $.ajax({
        url: "http://MYURL.com/myPHP.php",
        type: "post",
        data: serializedData

    });

    // Callback handler that will be called on success
    request.done(function (response, textStatus, jqXHR){
        // Log a message to the console
        console.log("it worked : " + response);

        // And also show message on result tag
        $("#result").html("it worked : " + response);
    });

PHP on our server:

<?php

header("Access-Control-Allow-Origin: *");

$bar = isset($_POST['bar']) ? $_POST['bar'] : null;
echo "!!! $bar";

?>

While all these codes worked fine and we got the form input echoed back correctly, one thing that is bothering us is the use of header("Access-Control-Allow-Origin: *"); in php. As mentioned in https://stackoverflow.com/a/17098221/144201 , this implies that the wildcard would allow cross site script from any domain. Therefore, it is more preferable to use something like a white-list to allow which domain can connect to our server.

But in the case of hybrid apps, imagine a thousand users using this hybrid app on their smartphone and connect to our server via AJAX. Is Access-Control-Allow-Origin: * the only way to allow external hybrid apps to connect to our server? What is the proper method to tackle this issue, security-wise?

Note: We have also found https://stackoverflow.com/a/26966685/144201 but this was asked two years ago and there are no accepted answers. Are there any recommendation regarding this issue as of now?