Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure communication between iOS client, Facebook API and server

Tags:

security

ios

facebook

iphone

facebook-graph-api

I would like to implement an iOS app with Facebook login. I would like the users of my app to be able to interact with their social graph (i.e. post to their stream). For that purpose I would use the Facebook iOS SDK.
When the users are already authenticated with Facebook, they also should be able to use some services on the server side of my application. How can I verify a user against the services on my server?

In my iOS app I can query the access token (for my Facebook application) using the iOS Facebook SDK. Should I send that access token together with the facebook user ID to my server? Can the server verify whether the access token is valid? Or should only my iOS App communicate with the Facebook API? Can the server post to my Facebook wall, or should this be done exclusively throught the iOS app?

like image 278
Peter Lapisu Avatar asked Jul 16 '12 15:07

Peter Lapisu

1 Answers

UPDATE:

Facebook now provides a security documentation / checklist: https://developers.facebook.com/docs/facebook-login/security/

You have at least two options:

  1. Send the access token to your Server and handle all requests to Facebook using that token (if the token is invalid you get an error and just pass it on to the client). => Safe but (a little) complicated.

  2. Separate the communication between

    • your client (iOS App) and the Facebook API and
    • your Client and your Server.

    Your app would handle all requests to the Facebook API through the Facebook iOS SDK and then communicate the resulting data, like all kind of Facebook ids, to your Server. This approach is totally insecure without some sort of encryption; you could send some cryptographic hash function to your server and validate it with a key stored on your server and the iOS App. => This method is (a little) easier to implement however less secure since the key can be stolen through reverse engineering. Moreover you would have to check the "I'm using encryption" check mark when submitting your app to the app store.

It actually depends on how much risk you are willing to take, what kind of requests you make, what kind of services you have and so on.

Can the server verify whether the access token is valid?

Yes, look here: Facebook access token server-side validation for iPhone app

like image 142
borisdiakur Avatar answered Oct 05 '22 13:10

borisdiakur
Sign in to Comment

Related questions

Including a static library inside a dynamic framework in iOS
Programmatically select text in UIWebView
Audio Metering levels with AVPlayer
iOS 9 Crashing in _prepareForCAFlush with EXC_BAD_ACCESS KERN_INVALID_ADDRESS
How to force a screen orientation in specific view controllers?
Which toolkit for iPhone mobile webapps?
UISlider highlight state with different thumb width than normal
Possible to use the native facebook app to log into a mobile html5 app? On the iPhone
Large cells in a UICollectionView getting removed while the cell is still displayed
Using NSLayoutManager to calculate frames for each glyph
How to associate iPhone application with _every_ file type?
How to play H264 Video file using VideoToolbox.framework in iOS 8?
How to embed iPhone-Wax into app
Text selection on PDF after rendering using the drawLayer for ipad
How to draw arc/curve line with MKOverlayView on MKMapView
What do the colors and percentages mean in the Leaks Instrument?
Automatically adding generated source files to an xcode project

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!