Facebook iOS security question

Question

guys :) I'm trying to integrate facebook connect to my iOS application. However, I have a security concern. From the demo apps that come with Facebook iOS SDK, the only thing ever needed to use facebook services is a Facebook App Id, which is public and anyone can see it. From what I saw, the app security key isn't used anywhere. Isn't it possible to take the publicly available Application ID for any application out there and post things in their behalf? For example, couldn't I take someone else's Application ID and post nasty messages that seem to be coming from their application? So please, can anyone tell me how the facebook security works and is there a way to protect my app id. Huge thanks in advance :)

Answer 1

In the settings of your Facebook Application page there is an iOS Bundle ID section that is intended to prevent that from happening.

You are supposed to specify the bundle id in your info.plst (e.g., com.your_company.your_app) so Facebook knows that your iPhone app is authorized to use your Facebook appication.

EDIT: This issue has since been fixed.

Currently it does not seem to be functioning properly, but it appears to be a known issue that is being worked on.

https://github.com/facebook/facebook-ios-sdk/issues#issue/188

Answer 2

More generally, you will not be able to post on another application's behalf because when you get an authentication token for particular application and a particular a user, the actions that you take happen on behalf of that user. Any posts you make, etc. would be shown as coming from that user, not the application (although it will say the post is "via <application>").

In addition, you can only post to a person's wall if the target user has added that application, and additionally granted that application publish_stream permission.

If you want to take an action as the application, you must get an App access token, which requires the application secret.