There is no way to make this 100% secure since you have no way of verifying where a request came from, but there is a way to make it slightly harder to hack the highscores. It’s still basically security through obscurity but it requires digging in to the actual app binary rather than just looking at the network connections.

First, pick a “password” for your app. Instead of sending just the score, also send a cryptographic hash (say, SHA-256 or something) of the password concatenated with the score. On the server side, recalculate the hash of password concatenated with score and check if this matches the submitted hash. If it does not, reject the score submission.
Now this is somewhat more secure than the initial approach because looking at the requests the app makes does not enable you to forge scores. However, looking in to the binary code off the app will still allow an attacker to recover the password and forge score submissions, but this is very involved and probably good enough for your purposes.

Of course, this does not rule out being able to duplicate a score (once the proper hash is known, you can submit a score as many times as you want). If you even want to prevent this, submitting a score would have to go like this: request (random) ID number from server, hash score + ID + password, submit the score + hash, the server then checks whether this hash is good. The server needs to remember the ID number so this is a little more involved to program.
A simpler solution would be to associate each score with the players name, and only allow 1 score per player. Then you could hash password + name + score.