I've just setup a new Azure Mobile App (first time using one since the old Mobile Services).
After setting up the app you can use one of the "Quick Start" offerings to create a Xamarin.Forms app that connects to your service and they create a dummy ToDoItem table for you. Then you can download the source for the app which is helpful.
The bit where I'm left scratching my head is that previously with the Mobile Services you would have your Mobile Services URL and an API key that was to stay secret (how secret you can keep this is open to debate as at the end of the day it's in your code and is probably possible for someone to reverse engineer the APK or whatever and get it)... BUT with the new Mobile App service there doesn't seem to be any notion of this secret API key. I've hunted around the sample app source and can only find the URL for the app service and nothing else.
So my question is, what's to stop someone else using my Mobile App service URL and reading/writing to (or worse, deleting from) my SQL Server tables?
Perhaps I'm missing something... If anyone can shed any light on the subject that would be great.
