Even then you could just put a breakpoint in the Fukime constructor and read the raw string?

Heck, even if the authentication step was 100% secure, what's stopping a malicious user from calling increase("farms") on a previously authenticated Fukime object? The Fukime instance is shown to have direct access to "global" variables, so the user wouldn't be limited to screwing with their own data.

This kind of logic belongs server-side (and this obviously isn't a server-side API, because the examples provided are for Android and iOS.)

To what end? I guess they could troll your "mobile app installation counter" if they really want to, but so what?

If someone wants to misrepresent how many times they've installed your app, there's nothing you can do about it. (They could just uninstall then reinstall over and over.)

Though... obviously they should only be able to mess with their own statistics, not the global statistics.

True that there's nothing terrible they can do when it's just statistics. The obvious solution would be to remove the global variables altogether, so that each user only has their own (from which the global versions are calculated).

That way, if the user was to do stupid things to their own variables, they could just be removed when calculating the global ones.

oauth would have request replay prevention or there could be some other ways of stopping the count fraud, but app_secret is probably always available in some kind of readable form. This is just an aspect of mobile security we have to live with. Facebook 3 party sign-on helps a little here because one could check requests server-side against valid temporary FB keys. But Fukime cow counter could easily do without those :)