Quoting Jef Poskanzer <jef.poskan...@gmail.com>:
On Aug 9, 10:48 am, Tom <allerleiga...@gmail.com> wrote:
exactly the same issue as the one which Twitter currently has
No.
A malfeasor who gets your app key can make any API call pretending to
be you, from any IP address, logged in as any user. A malfeasor who
goes through your app's signing proxy can only do the calls that your
app is willing to sign, which you can restrict by IP address, userid,
calls/second throttle, or any way you like.
Yep - sooner or later you have to build *some* kind of server to
protect your business, even if the majority of your functionality is
mobile or desktop. Given that, why not simply build as much of the
functionality into the server as possible and make a browser-based app
right from the start? ;-)
This is that "cloud computing stuff" that they talk about in those
expensive trade shows, right? ;-)
--
M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb
"A mathematician is a device for turning coffee into theorems." - Paul Erdos
