I am writing an iPhone application using Facebook Connect. During testing, you usually paste the application secret directly into the code and set up Facebook with this call:
session = [FBSession sessionForApplication:myApiKey secret:myAppSecret delegate:self];
However, for production code, it is recommended that you use a session proxy instead of embedding the secret of your application in your code:
session = [FBSession sessionForApplication:myApiKey getSessionProxy:myURL delegate:self];
I see how distributing your "secret" is probably bad - it allows someone to take actions that appear from your application. But I do not see how using a proxy solves this problem. An attacker can simply point his code to your proxy server. The proxy server does not verify that the request comes from your application. In other words, you do not give away the keys to the kingdom, but you give daily passes to absolutely anyone who asks!
So where is the added security? Are there any additional privileges that the application secret gives you that the proxied session is not working?
source
share