Difficulties in creating APIs for third parties

We have been thinking about creating APIs so that people can easily create and integrate their applications with HexHoot. We were also thinking about hosting a page where we link to these applications as well.

In our brainstorming sessions, we have been encountering a serious concern. Any design that we have so far been able to come up with have a vulnerability that an application could simply access the user information from the IndexedDB, and could potentially send it across to unauthorised party.

Image generated by OpenAI's DALL-E 2.

Currently, we are thinking in three different directions to come up with something that could eliminate this vulnerability:

1. We should come up with a design wherein apps can not access such information. This may have been an easier task if we did not want to keep HexHoot's codebase opensource. We could think of different techniques with which we could achieve this, if at least a part of the codebase was closed.
2. We could require the developers to reveal their source code if they were to be displayed on our page for third party apps. Although this could work in theory, it would be a tedious task to review the code for third party apps at scale. Furthermore, since JavaScript supports 'eval' command, it is also possible for these apps to evaluate strings that are assembled at runtime, by sending it in remotely, or, having it stored as an encrypted string and decoded prior to evaluation.
3. We could simply let users use third party apps at their own risk. Indeed, a lot of platforms have transfered the risk to the users; for instance, we can install softwares on Windows, Linux and macOS that come from any sources.

We would like to be committed to keeping HexHoot's codebase entirely opensource. At the same time, we do not want to keep the users at risk at any point. We need to keep working to solve this.

Therefore, at the moment, we do not know how the APIs would look like, nor do we know how the interface to submit third party applications would be like. We will keep researching to find the best way to do this.