You can use this method which gives you the authenticated user, http://help.qlik.com/en-US/sense-developer/3.1/Subsystems/APIs/Content/MashupAPI/Methods/getAuthenticatedUser-method.htm
Then you can implement some kind of user to app mapping.
However, this means that when John's logged in, right-clicks and hits View Source Code in his browser, he will have access to the list of users. I don't really want John to know that Paul and George are also users. Worse: I'm giving him Paul and George's usernames and the apps they can access. Do you understand my concern?
Is there a more secure way of mapping users to apps for use in an Extension?