First of all, I don’t work for or speak for Ionic. I also never have been a client of any of their enterprise products, so I haven’t the faintest clue about what they even are, much less what they do.
I’m not sure what your first paragraph means, but if you’re saying that you should design your app such that it works securely even if potential blackhats have access to the entire source code for it, yes, I agree with that. Fortunately, it’s fairly simple to do that, and the things to consider are the same as with any app that runs on untrusted hardware.
This concerns me. Self-submitted version numbers constitute zero security. I would suggest thinking in terms of actors, not programs. If I were in your situation, I wouldn’t care one iota what client app a user wanted to use. I only care that I’m providing access to Alice’s account to Alice and Alice only. Alice might care whether she’s using the official version of my app or not, but that’s a totally separate problem that by definition cannot be addressed from within the code of the app. That’s why Google and Apple have their code signing processes.
So I would suggest having a middleware server that is under your control that talks to a database also under your control. The app submits usernames and passwords or whatever other authentication secrets you might employ: however, it is absolutely critical that these secrets are linked to the user and not the app binary. Do not hardcode any secret strings or encryption keys in the app binary, period. The middleware server returns a JWT that the app can store locally for however long you deem appropriate. Further communication with the API to secure areas of your backend can be restricted by that JWT, so that the backend knows that a request for Alice’s inbox can safely be returned because it came with a properly signed JWT containing Alice’s identification.
Bear in mind that it is intended to treat a completely different attack vector, one where Bob grabs Alice’s phone and steals the JWT used to interact with your backend. Now Bob can impersonate Alice as far as your system is concerned. That’s a categorically different concern than somebody “stealing” your source code.
As I’ve said repeatedly on this topic, “how do I protect my intellectual property in an Ionic app” is fundamentally a legal, not a technical question.