Does facebook for android use https?

Question

In light of the Firesheep exploit, does anyone know what protocol the Facebook for Android app is using?

Answer 1

Droidsheep (makers of a android app similar to firesheep) claims on its website that that the official Facebook app does not use https:

Facebook enforces every developer, who wants to use facebook API in his application, to use SSL for any request to facebook (LINK). This is ironic – they do not use encryption for their api themselves! The official facebook Android app sends it’s cookie and HTTP requests unencrypted to facebook and DroidSheep can simply hijack the requests and the account – even if the user has HTTPS enabled.

I wanted to verify this, but Firefox said firesheep wasn't compatible with this version and blablabla... I gave up easy:) Maybe someone else could confirm this is true by actually capturing such packets being sent to/from their phone.

I suspect droidsheep's claim may be partially true - at least for whatever version was on my old droid incredible - as, after recently using wifi in an airport, Facebook told me an unknown device (estimated to be on the other side of the country) logged in to my account.

Anyways I asked Facebook (in security settings) to confirm unknown devices by sending me a text.

Answer 2

It depends on the particular API call you are making. However, any call that includes an access token to either Facebook's rest or graph API must be over SSL. Facebook will deny the request from their server if you include an access token over a non-secure request. The only api calls that wouldn't be over SSL are ones that access publicly available information such as http://graph.facebook.com/zuck/. This isn't specific to any single Facebook client SDK, this applies to any client accessing Facebook's API servers.