We use unique ID numbers to identify programs, users, and specific applications for a user. For example, AppID = 1216704 might be a specific application for an applicant. These IDs are used in URL strings submitted to our servers to view or edit data.
For example, here is a URL string to view a test app: https://app.smarterselect.com/app/1216704
The security is driven by the user's login. First of all, submitting a URL string without having logged in won't do anything except ask you to login so that we can verify that you are a valid user for this URL. You can try this with the test URL above.
Secondly, after the user logs in, we confirm their role. Are they an applicant, evaluator, or admin? If they are an applicant or evaluator, they can only view/edit their own apps or evals. If they are an admin, they can only view/edit the apps and programs in their account. This is how we partition accounts so that only your admins can see your programs and apps.
In summary, a hacker can try any combination of AppIDs to view/edit an app, but if they don't have permission then they can't do anything. And, even if they found a way to log in, then they can only impact their own apps (if an applicant login) or their own programs (if an admin login). That's why it's important for users to create and use strong passwords.