[MProgrammer]

They're not sent "directly" -- they go through StackMob's servers. Urban Airship has a client library that can do the same thing, and it's widely used.

I can see how it's certainly possible for a spammer to do that with hackery, but there's a mechanism to revoke API keys and so forth if needed.

[stickfigure]

Revoking your API key is the equivalent of taking your application offline. And there's no fix; as soon as you reissue your application (after waiting a week for Apple's approval) then the spammer has your API key again and can start sending pushes through StackMob/Urban Airship.

I send a lot of push notifications through my own servers. I made sure that spammers would have a hard time abusing it by constraining (server-side) who can send what messages to whom. Unless I'm missing something, StackMob has no defense against spam whatsoever.

If spammers aren't already abusing this, they will be soon.

[MProgrammer]

I think it would help a lot if broadcast were unavailable via the client-side API. Without broadcast, an attacker would have to find out usernames or device tokens to push to. I'll suggest that to StackMob and see what they think.