Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication Issue #15

Closed
guicocoa opened this issue Aug 25, 2010 · 5 comments
Closed

Authentication Issue #15

guicocoa opened this issue Aug 25, 2010 · 5 comments

Comments

@guicocoa
Copy link

This may be a dumb question:
If all that is required for me to authenticate a session with facebook from inside my app is my app id, what prevents someone else from using MY app id in their app? My app id is publicly visible in my app's facebook url (facebook.com/apps/application.php?id=xxx). There used to be a secret or api key required to create a session - or am I missing something?
@yujuan
Copy link

yujuan commented Aug 25, 2010

The login process is actually logged in the user but not the app. Other people may know your app id, but they can not do anything to your app. they can not change your setting or anything.

@guicocoa
Copy link
Author

Yeah I understand that the user gets logged in securely. My problem is that what prevents another developer from using my app id to access facebook?

For example, another developer could get my app id from the url, put it in their iPhone app, and use that to publish things to a user's stream that contained questionable content or foul language causing that user to report MY app. Since it is my app id, would I not be the one held responsible?

How do I keep that from happening if the only way for my app to identify itself with the api is a public piece of intormation?

@yujuan
Copy link

yujuan commented Aug 25, 2010

This is a very good point. But remember no matter we use app_id or api_key or app_secret, once it is shipped with the app, there is nothing can be secret. The user can always get this information by crack your app. So try to keep a secret that is shipped with client app is not really useful. Using the SDK, the stream publish is through our facebook dialog, when the app publish something to user's stream, the user would always be able to preview the content. Moreover, you are the admin of the app, you will always be the first contact if something happen.

@snichols
Copy link

I disagree with this, yujuan. What if the user has given the app unprompted publish permissions? There would be no popup then, would there?

This seems to be a terrible security flaw. All a programmer has to do is know my Application ID and they can assume my application's identity. Yikes!

@markltownsend
Copy link

That is somewhat true. I am able to call [facebook dialog:@"publish_stream" attachement:attachement delegate:self] without having given publish permission. All a user has to do is log in and then the post to wall dialog comes up and they hit publish and it's there on the wall.

joesus pushed a commit that referenced this issue Aug 27, 2019
@nlutsenko
Clarify versioning instruction for CocoaPods installation. (#15)
2086a40
@ArthurNarimanov ArthurNarimanov mentioned this issue Mar 11, 2021
Closed
5 tasks
@devedup devedup mentioned this issue Jun 21, 2021
Closed
@linziyiwj linziyiwj mentioned this issue Nov 16, 2022
Open
5 tasks
@devSC devSC mentioned this issue Dec 29, 2023
Open
5 tasks
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yujuan @markltownsend @snichols