New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication Issue #15
Comments
The login process is actually logged in the user but not the app. Other people may know your app id, but they can not do anything to your app. they can not change your setting or anything. |
Yeah I understand that the user gets logged in securely. My problem is that what prevents another developer from using my app id to access facebook? For example, another developer could get my app id from the url, put it in their iPhone app, and use that to publish things to a user's stream that contained questionable content or foul language causing that user to report MY app. Since it is my app id, would I not be the one held responsible? How do I keep that from happening if the only way for my app to identify itself with the api is a public piece of intormation? |
This is a very good point. But remember no matter we use app_id or api_key or app_secret, once it is shipped with the app, there is nothing can be secret. The user can always get this information by crack your app. So try to keep a secret that is shipped with client app is not really useful. Using the SDK, the stream publish is through our facebook dialog, when the app publish something to user's stream, the user would always be able to preview the content. Moreover, you are the admin of the app, you will always be the first contact if something happen. |
I disagree with this, yujuan. What if the user has given the app unprompted publish permissions? There would be no popup then, would there? This seems to be a terrible security flaw. All a programmer has to do is know my Application ID and they can assume my application's identity. Yikes! |
That is somewhat true. I am able to call [facebook dialog:@"publish_stream" attachement:attachement delegate:self] without having given publish permission. All a user has to do is log in and then the post to wall dialog comes up and they hit publish and it's there on the wall. |
This may be a dumb question:
If all that is required for me to authenticate a session with facebook from inside my app is my app id, what prevents someone else from using MY app id in their app? My app id is publicly visible in my app's facebook url (facebook.com/apps/application.php?id=xxx). There used to be a secret or api key required to create a session - or am I missing something?
The text was updated successfully, but these errors were encountered: