> Google lets you register which servers the auth tokens can be used from, which means that even if the application database gets hacked your data is safe.
This works when there are places of origin it can track but if you're handling tokens via a mobile device it's not as easy.
Regardless I wouldn't say your data is "safe". If someone broke into your system and you cached Google's data (which you probably did; federated queries suck) then your data isn't safe at all. Even the token can be re-used (I mean if someone broke in I don't see why they couldn't run stuff on the same server or even looking like it came from the same server).
This works when there are places of origin it can track but if you're handling tokens via a mobile device it's not as easy.
Regardless I wouldn't say your data is "safe". If someone broke into your system and you cached Google's data (which you probably did; federated queries suck) then your data isn't safe at all. Even the token can be re-used (I mean if someone broke in I don't see why they couldn't run stuff on the same server or even looking like it came from the same server).