I could not find the Stackoverflow either but I did my own investigation.
John means that somebody could push random data to keep changing his username as fast as he can, like a DDOS attack.
I would prevent abnormal abuse by setting a limit on API calls somebody can do,
so you will catch this random data pusher when it reaches a 1000 API calls in and disable the account temporarily.
Reset the API counter of each user with a timer or something.
Or maybe assign a temporary user role to allow changing the username once might also help.
The thing that I am afraid of is how can I protect Backendless initApp( applicationID, apiKey ) info.
With a simple tool for reverse engineering Android apk files (apktool) you can easily retrieve this information.
As Maksym mentioned:
You should not store your keys as a plain text. There are obfuscation tools that can obfuscate Strings and resources. Also you can encrypt the keys.
Is it harmfull to Backendless when hackers get your applicationId and apiKey?
I don’t know the answer to that question, but I believe if you have to protect this information,
I would obfuscate and encrypt this to keep it safe and secure.
But unfortunately, this will only delay a hacker to retrieve the Backendless initApp( applicationID, apiKey ) information, because it depends on how dedicated they are in reverse engineering.
I hope you can answer the question that I can not and inform me (us) about the dangers in exploiting applicationId and apiKey information.