This will make users unable to use the mobile app that is connected to web service
I guess there's no way to do my requirement
Well, if you manage / wrote the mobile app yourself, there is always the option to introduce some form of "port-knocking"
1) Developers should, before they start they work, issue a port-knock sequence to your device to "open up". There are "port-knock" apps for Android no problem.
2) Ordinary users, not using your mobile app, will face a public IP that is completely closed, no backend web-service acessible
3) App-users : the app first launches the port-knock sequence in correct order, the ACL is dynamicly adjusted and their public-IP is added to the list. Then the app can use the DNAT and reach the backend webservice.
The only drawback -> offcourse traffic could be sniffed, so advanced users can figure out the knock-sequence you issue to open up. But let's be real, 99.999999% is not going to investigate your app to see what traffic it emits etc,etc.
I know, this is seriously far fetched and there are probably better ways, but just giving you some ideas.