Nice post-mortem of a quirky bug. I think we're only going to be getting more problems as web services can change their APIs instantly, while iOS apps have a build-test-deploy cycle measured in weeks.
I think API versioning is important for this very reason. It's also important for developers to update their code to run on newer versions of the API so companies can drop support for the old API eventually.
I'm pretty surprised that neither Apple nor StackMob had an upper limit for the number of notifications your account could send or a user's device could receive within a set time.
I wonder how many users have now uninstalled your app?
They're not sent "directly" -- they go through StackMob's servers. Urban Airship has a client library that can do the same thing, and it's widely used.
I can see how it's certainly possible for a spammer to do that with hackery, but there's a mechanism to revoke API keys and so forth if needed.
Revoking your API key is the equivalent of taking your application offline. And there's no fix; as soon as you reissue your application (after waiting a week for Apple's approval) then the spammer has your API key again and can start sending pushes through StackMob/Urban Airship.
I send a lot of push notifications through my own servers. I made sure that spammers would have a hard time abusing it by constraining (server-side) who can send what messages to whom. Unless I'm missing something, StackMob has no defense against spam whatsoever.
If spammers aren't already abusing this, they will be soon.
I think it would help a lot if broadcast were unavailable via the client-side API. Without broadcast, an attacker would have to find out usernames or device tokens to push to. I'll suggest that to StackMob and see what they think.
Sounds like you're responsible for ensuring that your app only sends broadcasts when appropriate. If you create an app that lets end users send push notifications to an arbitrary list of users then that's on you for allowing it to happen.
If the iOS application decides who to send messages to and what the content of the message should be, then anyone who downloads the app now has the ability to spam to any other user just by extracting the API key out of the binary and using the StackMob API directly.
I wonder if there is any chance of seeing this app on Android. I know it's a small project and that seems silly, but hell, maybe I want to talk to iPhone users.
Don't get me started about Facebook