a) At the limit, I suspect this is impossible. If someone reverse engineers your app they will be able to work out whatever it does to identify itself and reproduce that functionality in your app.
b) With that in mind, one option would be to enable mutual certification (Server -> Server Settings -> Client Connections -> Advanced Configuration) and embed a certificate in your client. This would prevent anyone without the certificate from logging in.
c) Alternatively, a less standard way would be to write a custom plugin that
- Registers a org.jivesoftware.openfire.event.SessionEventListener
- When a new session is created, sends a message to the user who just logs in
- If the client does not respond appropriately, disconnect the session
Some ideas, anyway.