Our company has enlisted a 3rd party security firm to perform an assessment of our applications. The firm, BitSight Technologies, flagged one of our mobile apps because of a Mixpanel API call that is sending the distinct_ID in the querystring and HTTP body. What alternative exists so that value is not exposed?
Feedback from firm
Sensitive Data in Transit (with encryption)
One or more sensitive values were intercepted in transit. This is a high-risk vulnerability as it is possible for an attacker on the same network to easily retrieve this information.
Best answer by stephanie
When you send in event data via the HTTP spec, there is an encryption level that is required via base64 to keep it secure. To read more on the HTTP spec you can take a look here https://developer.mixpanel.com/docs/http#section-tracking-events.
As an alternative, you can use a server-side library to send events to Mixpanel if you do not want to use our HTTP spec.
Hope this helps!