Google reCAPTCHA (as presented in server part...), app requires a
And this part of the app can't use SSL Pinning due to external ownership.
So it's an exposure to many potential security breaches:
- JS injection via MitM
- exploit by using a WebKit security breach, especially if iOS is not updated with last update
- replace captcha code (by MitM attack) to solve external captcha.
And, if reCAPTCHA is used for authentication (and not human detection, its primary goal), it can be solved by any "Mechanical Turk" API. (I use this to automate my unit tests...)
Benefits / risks balance is not clear.