If you only use secure connections, i.e. connect over HTTPS, this particular threat (the content of a request being sniffed) is mitigated.
However, there is no need to enable CORS if the API in App1 is only called by App2. Furthermore, since you are sending the password in the body of a request, you will have to build custom authentication. Developers building custom authentication without understanding security will probably lead to an insecure application.
Therefore: secure the API in app 1 with a username and password (the default setting), and when calling the API from App2 simply supply the correct username and password.