I'm getting my head around using Facebook login on iOS apps made in AIR. I have a class I bought, which takes care of Facebook auth stuff, and have got it working, but I'm concerned about the safety of it.
I also have a web app that successfully uses FB login. I store the user's FB id in my database so that when they log in, I can connect them to their user data on my site, just as I would if they used a username/pass.
Comparing my web app Facebook login process to iOS:
WEB APP:
User clicks 'log in with Facebook'.
Facebook tells my server the user is indeed logged in, and returns their Facebook ID, which I search for in my system, and if found, log them into my site - all secure as it's server-side.
iOS:
User clicks 'log in with Facebook'.
Facebook tells my app the user is logged in, and returns their Facebook ID (no longer server-side)
My app sends my server the user's Facebook ID, my server searches for it in my system, and if found, logs them in
The iOS way seems vulnerable to someone hacking your app and sending you any old Facebook ID to log into your system with, which can't really happen with the web app login process above.
Your thoughts? How should FB login be done on iOS?
Thanks for taking a look.
Related
I have an app that all works fine for authentication and it uses Oauth2 (Google).
Now, I am struggling with the logout URL for this app. It works, but I am under the impression that it is possible to logout of it and remain logged into my gmail account please? Currently, ALL accounts are logged out of so the two gmail accounts need to go through login each time the app is used and log out is pressed.
I have read that this is possible but this is the URL that I am using to Log out
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://news.bbc.co.uk
I am sure it can be done because I did it in a former role but do not have the code!
I'm creating a book library app, where people buy an account and become able to read all the books...
In the past, we were able to get the UDID of the iOS device and the login only works from this specific UDID.. now apple prevents this, another solutions were there like OPEN-UDID but now doesn't work...
Are there any other means to prevent the user from giving the credentials to another people??
The only solution on top of my head now is this :-
When a user login, a flag on the server becomes true, and when another account try to login using the same credentials, it will show an error message "you are already logged in on another device".. when the original user logs out, the flag becomes false.. this will prevent the account from being used on multiple devices at the same time.. but the drawback is, what if the user unInstalls the app without logging out?
Is there a research on this topic that covers all these scenarios?
Is there a way to use apple keychain or iCloud or any other solution ?
What you can do is on new login invalidate api request(and send them to login screen) of previous login you can use device token with each api to check if you want to send data to device or it's a old login token and needs redirect to login. you have to just store a device token for each account login if it matches then send data else redirect to login
Edit 1:
if you uninstall the app then you have to login again from other device to access the books(data) and in each login you'll replace the old token with new one. Now only device which has this new token can access books. All other device if there are any login left in any device then they will get message from API that token not matched and you have to redirect them to login page again
I'm having an iOS app, need Facebook login to share something to wall. Everything is ok until I received new feedback from customer. Let me describe this case.
Apple have integrated Facebook into iOS system, user just needs to login via Setting, it is so easy for user. But my customer does not want to do that, they want user to login Facebook inside app and use it instead of Facebook of iOS system. Problem is here, there is a case: user has already logged in Facebook account A via iOS system, then user opens app and login Facebook inside app with other Facebook account B. After that, user shares a picture. Requiment is this picture should be shared on wall of Facebook account B (of app), but this picture appeared on wall of Facebook account A(of iOS system).
I just wonder do we have any solutions to resolve this case? Please give me any ideas you all have in mind after reading.
Thanks,
Ryan
I faced the same problem with Facebook SDK whenever a user login from any app using Facebook it change userid returned with the token which leads to share on the latest opened account.
if you open Facebook from a browser you will get this message from Facebook " we got confused please re-login "
so i took the same approach i saved user-id User(A) and whenever user share i check id coming with token if it changed i show " Facebook account changed please relogin " & i log all users out.
check this link may be helpful: https://www.facebook.com/help/community/question/?id=10205949056147843
I have used latest FB SKD in my iOS app so users can use facebook account to login. Application open the FB app and comes back to my app perfectly fine. However, in some place in the app, i have to show/pull some people facebook page (safari based using WebView), but even user already used the Facebook account to login into my native ios app, but the page still ask user to login again and when they click login, it shows them the annoying FB username/pass page.
Is there anyway, that the FB safari based page can authenticate the user since it's already logged into my app using FB integration? do i have to include query or something. Please give me details how to solve this problem since i'm new in this..
thanks again for your help...
pic: https://www.dropbox.com/s/rjlptu7ufpcq3vl/fb.png
When the user switches to Facebook app to authenticate, it doesn't create a cookie for your UIWebView which is why it's asking to login again. Have the user authenticate inside the UIWebView without switching to the Facebook app.
What you're talking about also sounds like a similar thing that happens with Facebook dialogs not knowing about the current Facebook session.
If you authenticate your user via Facebook, try saying the Facebook object itself as an instance variable somewhere in memory so you can access it again (a property on a singleton controller, perhaps?).
Spawning dialogs from an authenticated Facebook object appears to let them use the dialog without reauthenticating iff you have a [FBSession activeSession]. So you'd also have to maintain an active FB session. But I'm not sure if this kind of solution will work since you didn't show specific code for how you're doing your web-based FB fetches.
This question might also prove helpful:
Implement Login with Facebook in iOS 5 and 6
I have a facebook fbml app and a web application. I want my web application users to be able to add my facebook app. Seems simple, right?
Currently, I am making the connection by adding a param to the canvas page link in my site. For example, I have a link that says "add our fbook application" which links to http://apps.facebook.com/our_fbook_application?suid=786432878923
suid is the logged in user's uid on my site. Adding this to the canvas link params allows me to connect their site uid to their fbook uid on my site. This way when requests come in from facebook, I can authenticate them based on solely the fbook uid after the connection is made.
This seems like a security issue. I think an attacker could log into their facebook account and guess user id's by calling http://apps.facebook.com/our_fbook_application?suid=x and when x corresponded to a suid on my site, he would be authenticated to see that user's data.
This connecting of a facebook app user to a website user seems like it should be really common practice, but all I can find these days is facebook connect examples which I am not supporting yet.
Can someone walk me through the steps to connect a facebook app user to my website user? Major bonus points if someone can do it in Rails with the facebooker gem.
Thanks!
don't pass the suid as a variable.
Instead, on your backend, associate the FB uid with the suid.
When the user accesses the app via website, he/she will have to log in (maybe through fb connect?).
When the user accesses the app via FB, your page should be able to determine the fbuid of the user and map that to the correct suid and log the user into your site.