Facebook AccountKit requestAccount security error in iOS

Question

After a login is completed using Facebook AccountKit, I want to retrieve the phone number or email used to authenticate. According to the docs this is a simple method call in the SDK:

[accountKit requestAccount:^(id<AKFAccount> account, NSError *error) {...}];

However, I keep getting this error:

[AccountKit][Error]: API calls from the server require an appsecret_proof argument

Okay, first of all I am making the call using their Client SDK not from the server so the error text makes no sense. And the user just logged in so I have a valid access token.

Even assuming calls from the client required appsecret_proof as a parameter, there is no field for parameters when calling requestAccount.

I want all calls from the server to provide App Secret for security purposes, so I would rather not turn that setting off for my app. So how do I call requestAccount from the client when Require App Secret for server API calls is on?

Answer 1

I don't think it makes sense to have your server calls to FB secured with a secret, but have your client side requests not secured. Remember that your client side is way more susceptible to hacking than your server would ever be.

Since you're already making server-to-server calls to AK with the secret, I suggest you just add a new call from your server side that fetches the account info and passes it back down to your client.

For extra security, turn off client token flow entirely and only use code flow