Sven

We just launched the ability to build native Android apps directly in Google AI Studio for free! Since launch last week, people have created more than 250,000 Android apps. Likely >99% of these folks never built an Android app before, everyone can now build, no coding required!

谷歌刚上线的 Google Flow 安卓 Beta 版，可以直接无限使用生图。 ​我刚才在手机上试了一下，重点是它把 Nano Banana 2 和 Nano Banana Pro 这几个图像模型划归到了“0 点数消耗”里。也就是说，不管是手机端生图还是改图，现在完全不扣积分，等于无限使用。 Google Play 商店搜Google Flow下载

20 things that will get your VIBE CODED app HACKED in 24 hours : Bookmark this RIGHT NOW ! 1/ API keys hardcoded in frontend JS > anyone who opens devtools can read them > cursor does this constantly > move all keys to your backend, never the client 2/ no rate limiting on /login > bots can try 10,000 combos while you sleep > add rate limiting + lockout after 5 failed attempts > this is table stakes, not optional 3/ SQL queries built with string concatenation > "SELECT * FROM users WHERE id=" + userId > thats SQL injection waiting to happen > use parameterized queries, always 4/ CORS set to wildcard (*) > any website can make authenticated requests to your API > it uses your users own cookies to do it > whitelist specific origins only 5/ JWTs stored in localStorage > one XSS attack steals every token on your site > localStorage is readable by any script on the page > use httpOnly cookies instead 6/ JWT secret is "secret" or from a tutorial > attackers test common secrets first > yours is probably on a wordlist already > generate a 256-bit random secret, rotate it 7/ admin routes protected only in the frontend > the server doesnt care about your React Router guards > hit the endpoint directly and it opens right up > protect every route server-side, no exceptions 8/ .env committed to git even once > its in the history even if you deleted the file > git log --all --full-history -- .env finds it instantly > rotate every key in that file immediately 9/ error responses showing stack traces or DB table names > you're giving attackers a map of your infrastructure > log errors server-side, return generic messages client-side > never expose internals in a response 10/ file uploads with no MIME type validation > upload a server-side script, get full access > extension checks alone dont protect you > validate MIME type server-side, not the filename 11/ passwords hashed with MD5 or SHA1 > rainbow tables crack MD5 in seconds > no salt = no protection > use bcrypt or argon2, no exceptions 12/ auth tokens that never expire > stolen session = permanent access forever > set an expiry on every token you issue > implement refresh token rotation 13/ auth middleware missing on internal API routes > AI adds middleware to obvious routes and skips the rest > audit every single endpoint manually > assume nothing is protected until you verify it 14/ server running as root > one exploit = full system access > run your app as a non-privileged user > this costs nothing to fix 15/ database port exposed to the internet > your postgres on port 5432 should never have a public IP > put it behind a firewall or private network > this is a one-click fix in most cloud providers 16/ IDOR vulnerability on resource endpoints > change the ID in the URL > can you access another users data? most vibe coded apps: yes > validate ownership server-side on every resource request 17/ no HTTPS enforcement > credentials sent over plain HTTP can be intercepted on any public network > enforce HTTPS at the server level, not just the frontend > redirect all HTTP traffic automatically 18/ sessions not invalidated on logout > the old session token still works after the user clicks logout > invalidate sessions server-side on every logout event > client-side cookie clearing is not enough 19/ npm packages not audited since setup > run npm audit right now > count the criticals > schedule this as part of every deploy 20/ open redirects in callback URLs > used to send users to phishing sites through your trusted domain > validate and whitelist every redirect destination > never trust user-supplied redirect URLs

"I'm out of free API credits" is officially over 🤯 FreeLLMAPI is an open-source proxy. Each provider's free tier is a toy on its own. Stacked together they add up to ~800M tokens a month. → Google, Groq, Cerebras, NVIDIA, Mistral + 9 more → Drop-in OpenAI endpoint, just swap base_url → Auto failover when a provider hits its rate limit 100% Open Source.

Thanks for all of the Antigravity feedback over the last couple of days, especially around the IDE. Our intention was never to remove the IDE support for developers, and we should have been clearer with that in the product from the beginning. We’ve made it clearer in 2.0 on how to connect to the IDE, fixed issues with opening the IDE on Windows machines, provided instructions to restore IDE settings & extensions, and more. New releases for the Antigravity IDE and Antigravity 2.0 have rolled out with these changes. We should have done better so we’re going to reset everyone’s Gemini quota for the week again.

Last month we launched Project Glasswing, our collaborative AI cybersecurity initiative. Since then, we and our partners have found more than ten thousand high- or critical-severity vulnerabilities in essential software.