Quoting Jef Poskanzer <jef.poskan...@gmail.com>:

On Aug 9, 10:48 am, Tom <allerleiga...@gmail.com> wrote:
exactly the same issue as the one which Twitter currently has


A malfeasor who gets your app key can make any API call pretending to
be you, from any IP address, logged in as any user.  A malfeasor who
goes through your app's signing proxy can only do the calls that your
app is willing to sign, which you can restrict by IP address, userid,
calls/second throttle, or any way you like.

Yep - sooner or later you have to build *some* kind of server to protect your business, even if the majority of your functionality is mobile or desktop. Given that, why not simply build as much of the functionality into the server as possible and make a browser-based app right from the start? ;-)

This is that "cloud computing stuff" that they talk about in those expensive trade shows, right? ;-)

M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb

"A mathematician is a device for turning coffee into theorems." - Paul Erdos

Reply via email to