尽管我完全了解 AppCheck 的用法,但我仍然想知道它如何帮助防止向 API 端点发送垃圾邮件请求。在黑客使用 OpenBullet 或任何黑客工具每分钟向特定端点发送数千个请求的情况下(例如,在社交应用程序中创建数千个虚假个人资料的注册端点):
once the hacker got their hand on the appcheck token from the device, can't they simply attach it to the request's header, and spam all they want the api endpoint that we secured from our backend by checking appcheck token? I mean, as long as the TTL didn't expire, I guess all their requests will pass the check thus they could use their hacker tool and pretend to come from the untempered app? …