I’ve used “Login with Facebook” on mobile that way

This story is about how did I use social login on mobile, especially Facebook. Maybe you see it a little bit ridiculous, but yes, I do it that way.

The first approach

This is my first approach using Facebook Auth many years ago

  • First I using Facebook SDK to login and get Facebook ID
  • Then, use Facebook ID as user identify number for application data.
  • Facebook ID is saved locally on device so that user no need to login with Facebook anymore.
  • Use this Facebook ID for further requests

It’s quite easy to see that there is a critical security issue here. Stranger can easily get Facebook ID and so he also can manipulates user data quite easy. However, for some simple applications not care about security, or there is no user data, this way is still worth.

Update 1: Add internal authentication feature

As an improvement, I add login/sign up function for authentication from internal server side.

  • Authenticate with internal server using FacebookID, then receive a limit lifetime token.
  • Use this token for further requests
  • In next time launching application, automatically login using saved Facebook ID

Update 2: Add developer key & device information

  • All requests now need a “key” in header — developer key — to identify where does the request come from. This key may be changed for each release so I can manage from server which key is allow/disallow to access
  • Every device will be given a unique identify number. This number is attached in all requests so I can manage which devices user are using concurrently and decide if it’s normal or abnormal request.
  • Device timezone, IP address, …, are also good additional information for checking abnormal request

Update 3: Checking data integrity

All request/response data will be hashed using static or dynamic salt key (asynchronous or synchronous key) for checking if data is changed on the fly.

Update 4: Sync with device Facebook account session

Now Facebook ID is not saved locally on device anymore. I use FacebookSDK to restore & check Facebook session every-time launching application. Then using FacebookID returned from FacebookSDK to authenticate with internal server.

Update 5: Trust FacebookID from server side

Above updates still has a critical issue, server does not know if FacebookID is fake.

From mobile, after authenticating with Facebook, Facebook token will be used for internal authentication.

Finally, add some more security techniques

Some more security techniques should be considered to use:

  • Prefer POST instead of GET
  • Using https instead of http

How do you think about this stuff, good or bad, comment me.