App service (app_id) security enhancement
App service (app_id) security enhancement.
I am developing an App and using Realm to store data on the device and to synchronize that with my Mongo DB. Realm features finally seems to be working fine, however
I was surprised that only the App id is needed to reach my App service programmatically from code. There is no APP secret or key pairs... It seemed even more vulnerable when experienced that the default password change urls and confirmation mail URLs has my APP id in them.
So I dont see any gate which would prevent any of my apps users to get my app id and with that develop any code and reach my app application from mobile. I know there is the schema definition for example which must fit to my DB to have syncing and there are user permissions and limitations to ensure that a user can always reach only their own data , but I just dont feel this enough. I dont even want to get logs about bad schema definitions or such in my App service and investigate these cases if its my code or any other usage of my app by anyone.
So feature could be to handle app id in a more secure way. It could have a private part and a public one. And public features , like confirmation mail urls should have only the public part of that. Or to apply a new app secret data which would be also needed to reach an App service.