My idea is to remove the function mx.meta.getMap() (or in any way block the information).
This function returns all entities in a domain model from the Mendix application. It can be called anonymously. I consider this a security risk as it gives hackers an awful lot of information about the applications inner working and data.
Since you can do a request for objects with the Mendix client api you can easily write a script that tries to retrieve all instances of an entity. Provided with the knowledge of the entire domain model this is just too easy.
For example, here is the (partial) result of https://cloud.home.mendix.com:
If you want to test security of your own application you already have knowledge about the metamodel, so you should not be needing this function… Or this function should not have to be public.
its good for testing security, dont remove it
You can see all the entities that exist in the Mendix application. You can try to query them, you will only retrieve objects that you have access to.
I thought this method only gave you information on entities you currently have access to. Am I wrong?