[robterrell]

I don't think it's an "unrestricted" API if it uses https and you have to intercept and extract an auth token from a valid session. But I get what you mean -- it is fun to look under the covers and see how the big companies do things.

[crazypyro]

Yeah, I agree. MITM attacking your own auth token is not a great example of an "unrestricted" API. I'm thinking more POST requests to games where you can edit resources, change high score, etc. The kind of stuff you used to see all the time on web games, before popularity increased to the point where the developers had to take care of it.

I'd just imagine developers are a lot less wary about security holes because they assume that their client is "just" a smartphone and not a rooted packet sniffer.