Obtaining FB password with users permission

Question

Is it possible to obtain a users fb password, with granted permission? I'm using it in a project that allows users to keep their sensitive data locked using their fb account. It's for an iOS application, and right now I'm able to collect a users email, through the Facebook iOS sdk, and password, through a login "workaround", but I'm not sure if the app is going to get rejected due to infringement of facebook's and or apple's legal rights.

Answer 1

No, it is not possible to obtain a user's Facebook password. I am not sure if the app will be rejected but I would personally avoid this solution.

I suggest to use the user's facebookId instead of the user's email.

If the secured data are stored in the app:

You only need the facebookId.

---

If the secured data are stored on a server:

Of course, checking only the facebookId isn't secure enough because anyone with a precise facebookId could login with it and get access to the "secured" data on your server.

What you need is two parameter to identify a user through your app:

• The facebookId of the user
• A secret key

You can send the secret key in your header request (or as a URL/BODY parameter if you want). It ensures that your server is called by your app an not from another source (a hacker).

What I would do to be more secure is to hash these two parameters in SHA1 so that even your request isn't readable. Then all you have to do is compare on your server the same key hashed in SHA1 with the one received.

For hashing a string to SHA1, here is a link : http://www.makebetterthings.com/iphone/how-to-get-md5-and-sha1-in-objective-c-ios-sdk/