This problem is fairly generic one - how do I store backend id and backend secret in the application? As the example shows - I could hardcode the keys in the application but then anybody can who has access to the binary has complete access to the backend. To conteract that, I could create acl's to control access to specific objects to specific users. But not really sure whether this the right way,
I don't understand - why there are two keys? if these keys are meant to be stored in the app, One key would have been sufficient.
So I have to create a middle webservice which sits between the application and engio where application sends the backend id and the middle service slaps on the backend secret and sends it over to engin.io ?
You are right that one key is sufficient. That is why we changed the API and in the first real release of the Enginio Qt client library there is only the backendId.
The way to secure a backend is indeed through the ACL. There is a new example - the Social Todos example that shows how to do this. Please let us know if you have more questions.