We implemented the Android Android SDK in our Android application, which requires the application signature to be stored on the facebook server, so that calls from the application to facebook can be verified. We would like to use this system for our own backend, to make sure that it is used only by our application, and in this connection I have the following questions:
(see https://github.com/facebook/facebook-android-sdk/tree/master/facebook/src/com/facebook/android to find related classes)
- Obviously, to confirm the call by matching signatures, the application signature must be sent to the server. Inside sdk I can not find where this is done?
- It seems that https is not used, right? (Util.java)
- Could the signature be falsified so that the whole system would be meaningless?
- Facebook.java contains the signature of the facebook application at the bottom of the file. It may seem trivial to change that. However, as I understand it, the signature of the application sending the intent can be resolved using this intent. The Android system controls this, and therefore the signature cannot be tampered with. However, when calling the url, can the Android system add the signature to the protocol so that it is immutable? Probably not, which makes me wonder about the above issues.
[Edit in response to nitzan and zapl]
, , , , facebook sdk ; , . , api. facebook sdk , , Facebook, - Android. - Android, , , , . , , non https, , , api - . , - https, , -, facebook sdk.
, Intent, , URL- facebook. Facebook , , SDK. Android , Facebook, Intent, , Facebook . , URL- , , , , Intent.
[edit 2]
, , , . , Android, , , api calls serverside.
: