Best be if each device had unique key stored in them and it would be attached to device id. Key would be used to hash all data before its sent to server, hash is attached to request.

Server gets request, looks up device by its id and grabs its key.
Validates request data ( does same hashing procedure as device ), if everything matches up – request is probably genuine.
Upsides are that:
1. devices could be pretty easily blacklisted using this method
2. it would be hard to fake some other device

Downsides are that each device would need to have unique binary image on it.