As I read in the Android Mixpanel SDK setup documentation, a token is used to initialize MixPanel SDK when app starts. When I read about token on Mixpanel document, it says:
Your token is public, and is the only project-specific object required to send data to Mixpanel. Since Mixpanel users can have multiple projects, and each project has it's own project token, whenever you want to send data to a specific project, you'll need to specify the project token so we know where to send the data.
Android apk's can be easily decompiled using freely available tools. If someone hasn't used ProGuard or some other obfuscation library, what will be the consequences if the token is exposed to an attacker? Since the link mentions that its the only thing required to send data to Mixpanel, can an attacker send their own data and corrupt our data on Mixpanel?
This is correct -- if an attacker decompiles your apk, and extracts your token, they can indeed maliciously send traffic into mixpanel on your behalf.
This is the case with pretty much every single one of the web analytics companies out there (google included).
The main thing to know however, is that it is rarely useful for people to do this. Polluting someone else's web analytics, while possible, isn't exactly a profitable thing to do. You can also create server-side filters to help prevent this thing from happening.
You can read more about it (specifically related to Google Analytics) here: https://blog.kissmetrics.com/protect-analytics-from-hacking/ (the principles also apply to Mixpanel).
Hope that helps!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With