I'm following the ios sdk install steps and noticed that there isn't a step to add the app secret key. Am I missing a step? How do they secure the app identity and disallow someone else to impersonate another app's app ID?
Asked
Active
Viewed 1,899 times
1 Answers
7
DO NOT put your app secret in your iOS app (or any mobile app). When you configure an iOS app, you need to specify your bundle ID, which is used as part of the authentication flow.
Ming Li
- 15,672
- 3
- 37
- 35
-
Could you elaborate on that? How is that secure? Because I could just authenticate against Facebook's API with some other App's identifier, coudldn't I? – nekaab Feb 04 '14 at 09:39
-
1The bundle ID is used when doing SSO, and iOS sends the bundleId as the "sourceApplication" to the Facebook app, which does the authentication, it cannot be faked. – Ming Li Feb 04 '14 at 18:44
-
OK, so far that makes sense. But couldn't I find out what the Facebook App then does with that information and do the same (impersonate the Facebook App itself?) Because all information is on my device. Or is that too far-fetched? – nekaab Feb 05 '14 at 07:51
-
At some point, if you're determined to hack your own device, then yes, there's only so much any particular app can do. However, that doesn't mean *any* app can do this without the user's knowledge. – Ming Li Feb 06 '14 at 23:08