Databases
StackOverflow2013
Postsdbo
POAndroid facebook-sdk signature security
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAndroid facebook-sdk signature security
    primarykey
    data
    text
    <p>We've been implementing the Facebook Android SDK in our android app which requires to store the app signature on the facebook server so calls from the app to facebook can be validated. We'd like to use this system for our own backend to make sure it's only being used by our app and regarding to this I have the following questions:</p> <p>(Refer to <a href="https://github.com/facebook/facebook-android-sdk/tree/master/facebook/src/com/facebook/android" rel="nofollow">https://github.com/facebook/facebook-android-sdk/tree/master/facebook/src/com/facebook/android</a> to find the related classes)</p> <ol> <li>Obviously, to validate the call by matching signatures, the app's signature needs to be sent to the server. Within the sdk, I cannot seem to find where this is done?</li> <li>It seems no https is used, is that correct? (Util.java)</li> <li>Couldn't the signature be sniffed rendering this whole system pointless?</li> <li>Facebook.java holds the facebook app's signature at the bottom of the file. It might seem trivial to change this. However as far as I understand the signature of an app that sends an Intent can be resolved via that Intent. The Android system manages this and therefore a signature cannot be faked. However when calling an url can the Android system add the signature to the protocol in such a way it is immutable? I guess not, which makes me wonder about above questions.</li> </ol> <p>[Edit in reply to nitzan &amp; zapl]</p> <p>What I'm trying to achieve is the same as why the facebook sdk requires you to store the signature on their server; making sure calls to our backend are sent from our app and nothing else. We don't want to allow bots or other apps to access our server api. The facebook sdk has methods to check if Intents originate from the Facebook app, which is safe because of the closed management of signatures and Intents by the Android system. The only way to compromise this would be by running a modified Android version which allows for overriding app signatures but the odds of people building and running that are neglectible. However running an app, sniffing the signature that is sent over a non https protocol and building an app that uses this signature with api calls isn't. It seems the only way to make such a system work is using https, which it seems the facebook sdk doesn't.</p> <p>Note that the Intent validation methods I'm describing above is different from the url calls to the facebook server. The Intents are used to have the Facebook app on a device communicate with an app which implements the SDK. The Android system ensures the signature of the Facebook app that is sent with the incoming Intent cannot be faked so the Facebook app->app communication system is safe. As opposed to this internal system my question is about the external system of outgoing url calls to a server which would be safe if the signature could be sent immutable along the call, basically implementing the same system as the Intent system.</p> <p>[edit 2]</p> <p>As opposed to what we were assuming, it turns out an app signature is easily fetched. While apps need to be signed using a private developer key this doesn't compromise security concerning apps on Android, however it obviously cannot be used to validate api calls serverside.</p> <p>This leads to more questions:</p> <ol> <li>Why is Facebook implementing this system while it's easily compromised?</li> <li>Are there any other known implementations to restrict server api access to a specific app only? (other than obfuscation)</li> </ol>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USWill Kru
    1. USWill Kru
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POAndroid facebook-sdk signature security
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POAndroid facebook-sdk signature security
      1. USkreker
      1. VTFavorite
    3. VO
      singulars
      1. POAndroid facebook-sdk signature security
      1. USania
      1. VTFavorite
    1. COWhat exactly are you trying to protect?
      singulars
      1. POAndroid facebook-sdk signature security
      1. USNitzan Tomer
    2. COHi nitzan, please see my updated question
      singulars
      1. POAndroid facebook-sdk signature security
      1. USWill Kru
    3. COIt's not safe because I can modify the facebook app / api to return anything to the server that I want. Nobody forces me to tell the facebook server that I am fake
      singulars
      1. POAndroid facebook-sdk signature security
      1. USzapl
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload