Difficulties in creating APIs for third parties
We have been thinking about creating APIs so that people can easily create and integrate their applications with HexHoot. We were also thinking about hosting a page where we link to these applications as well.
In our brainstorming sessions, we have been encountering a serious concern. Any design that we have so far been able to come up with have a vulnerability that an application could simply access the user information from the IndexedDB, and could potentially send it across to unauthorised party.
|Image generated by OpenAI's DALL-E 2.|
Currently, we are thinking in three different directions to come up with something that could eliminate this vulnerability:
- We should come up with a design wherein apps can not access such information. This may have been an easier task if we did not want to keep HexHoot's codebase opensource. We could think of different techniques with which we could achieve this, if at least a part of the codebase was closed.
- We could simply let users use third party apps at their own risk. Indeed, a lot of platforms have transfered the risk to the users; for instance, we can install softwares on Windows, Linux and macOS that come from any sources.