5

The Facebook iOS SDK only needs your bundle & app IDs of your iOS app to match those of your Facebook app.

If I find out an app's app ID, can't I just create another iOS app with that app's bundle ID? Sure, I may not be able to distribute my app on Apple's App Store (since it requires every bundle ID to be unique), but can't I distribute it other ways? Shouldn't the iOS app also need to know the app secret? I guess Facebook figures allowing an attack to extract the app secret from the iOS app would be worse? What about storing the app secret in the iOS SDK Keychain Services?

ma11hew28
  • 287
  • 1
  • 9
  • "Never include your App Secret in client-side or decompilable code." https://developers.facebook.com/docs/facebook-login/security/ – ma11hew28 Feb 17 '14 at 16:45

2 Answers2

1

The iOS app ID includes a team specific prefix that can not be changed nor set by the developer; it is automatically used when signing a build (which you even have to do when using ad hoc distribution or development builds)

So unless Facebook ignores that part when checking the App ID to be equal, you cannot create an app that passes as another app.

There you go:

App ID A string that identifies one or more apps from a single team. An App ID consists of a bundle ID search string preceded by the Team ID, a 10-character string generated by Apple to uniquely identify a team.

Tobi Nary
  • 14,352
  • 8
  • 44
  • 58
0

You can install up to 100 devices using Ad Hoc distribution,without App store.But First you need to register each device in apple dev center using device Id.So I don't think it's a huge problem.

Harikrishnan
  • 452
  • 1
  • 6
  • 18
  • That's a good point. I was thinking you could distribute the app via Cydia. But, your answer reminded me that, then, only jailbroken devices could install it. – ma11hew28 Feb 13 '14 at 03:42
  • Now, I have another question... How does the Facebook iOS SDK prevent bundle ID spoofing? In other words, why can't I just give my app its own bundle ID but then send Facebook the bundle ID of another app? – ma11hew28 Feb 13 '14 at 03:44
  • Hmmm... Looks like they're doing some sort of [encryption](https://github.com/facebook/facebook-ios-sdk/blob/master/src/DeviceAPI/FBAppBridge.m#L433), but I don't fully understand it yet. – ma11hew28 Feb 13 '14 at 03:57
  • 1
    Obviously jail broken devices won't worry about security ;) – Harikrishnan Feb 13 '14 at 05:57