Registration Security

[mphill]

If the notification hub connection string is in the app, wouldn't that allow an attacker to register for other user's notifications? For instance if the system uses integer primary keys, and I am user ID 20, I could create a registration for user ID 21 by essentially forging the registration request and intercept users ID 21's notifications.

Is the work around to abstract way the integers with guids?

Thanks for your guidance on this.

[rdelrosario]

One option you have is to have an endpoint on your backend that provides this connection string once user is logged in. That way you won't have it in your application exposed.