Given how the SDK is set up, what's to stop an attacker from grabbing the development key, production key, and app id and modifying data in the system?

From looking at the HTTP API endpoints and what a person can look up in developer tools, an attacker could take advantage of these endpoints:

registerDevice
getVars
setVars

If the attacker has a list of device ID's that they are targeting, they can attempt to attack all of the user data endpoints, including deleteUser and sendMessage.

hi @sorliem, I notice the security concern today with a Legacy project, and I have now the same question, but... what you found about this topic to close the issue?

Hi @llstarscreamll, we built a proxy that the client would route through to protect the keys.