The Moodle app users are permanently logged-in (until the authentication token expires, default duration is around 3 months) this is why is not easy to detect user sessions.
My recommendation would be to check the lastmodified field of the external_tokens table, it indicates the last time a user accessed via the mobile app (or web services), you should be storing this data periodically, for example, everyday 30 minutes calculate the last access per user and then consolidate the data.
My recommendation would be to check the lastmodified field of the external_tokens table, it indicates the last time a user accessed via the mobile app (or web services), you should be storing this data periodically, for example, everyday 30 minutes calculate the last access per user and then consolidate the data.