I've noticed it in a couple of cases where I had access to the code by the app owner, and then I've decided to run a research. (not really) Surprisingly, in a 10 minute effort of serching on the internet, I've managed to collect 10 API-KEY/APPID valid pairs because the developers left those information directly in the code.
Now, considering that:
- Only with the appID you can get the WHOLE app structure (which is something I don't completely understand);
- That if you have the pair AppID+API-KEY you can make some real damage;
- That is easy as (almost) searching on google to find websites that embeds knack apps;
I think many apps are actually under a very high security risk and should be fixed asap.
Of course object-based request are a lot more fun and easy to implement, but with a clever use of display rules you can make very complicated and nested custom operations without exposing your api key (and when you want to GET information, without even making an API call at all).
To the knack staff, I'll request as a feature, a big red message to show up in the builder in those app that has the api-key exposed. This is already a deterrent for developers to take this very wrong path.
P.S. Even if it might look silly or I might look paranoid I can assure that someone with the right motivation and not even much skills, could easily take advantage (or maybe is already!!) of such a security breach. I've seen this before.
Think about how many knack apps are used to treat highly sensitive data (health, education, children,..) and you'll agree with me that we have to take an effort also as a community, to mitigate such risk of data leak or manipulation.