They can just turn off the .json endpoints for unauthenticated requests. Their own clients use a non-public GraphQL API that (supposedly, I haven't checked) uses elaborate fingerprinting to stop outside access. When I said "all apps" I should probably have clarified that it's all 3rd-party apps.
I imagine that over time they’ll update their 1st party clients to use authentication, and if they’re really motivated they could implement some kind of token binding.
It would surprise me if this isn’t in their near term plans given the apparent urgency they have to shut down the APIs.
My understanding is that they’re still hitting API endpoints.
What I’m getting at is that it’s theoretically possible to start locking down the APIs such that only Reddit’s own clients including the web view can continue to call those APIs.
Clients that are calling the unprotected endpoints would be forced to start circumventing the new API security, setting up an avenue for Reddit to go after such clients.
Something like this [0]. The point would be to force clients to deliberately circumvent the restrictions, which I believe would give them more standing to go after 3rd party clients that attempt this.
Worth noting that most browsers don’t support token binding yet, but this has been in the works for awhile, so I’m mentioning it here for illustrative purposes. They could theoretically implement something less airtight but with the same general goal.
Both Apple and Google will remove apps from their store if they access a 3rd party API without consent. Not to mention that if using non sanctioned APIs you will likely face lawsuits from whatever service you are implementing a 3rd party client for.
It's a game of cat and mouse, it's like anticheat, or user agent spoofing. All reddit have to do is make it "difficult" enough to dissuage the majority of users for it to be worthwhile.
