1

I'm writing an app that incudes "news stream". One type of the entry is facebook post. I'd like to put those posts just like Twitter API allows to - without Login. I do not want to implement Facebook Login feature from theirs API. It is redundant in my case. What I am wondering is the security of this kind of bypass. Is it safe to get plain text (as JSON) from a link:

https://graph.facebook.com/{post-id}?access_token={token}

Token is my personal token that I generated at https://developers.facebook.com/tools/explorer/

Is it safe to use this token using it encoded in my apps code (Android)?

Using URLConnection, OutputStreamWriter, URLEncoder, BufferedReader.

Or schoud I make a .php on my server as the "middleman". (Pointless I guess).

Are there any other ways to get public posts from Facebook?

Bart Lizak
  • 85
  • 9
  • Note that a personal token can be [decoded to reveal your personal information](https://developers.facebook.com/tools/debug/accesstoken/) and can be used by others if it is publicly available. – cpilko Feb 23 '15 at 14:26

1 Answers1

1

Because it is https, and because you are storing the token encrypted, it can be considered safe. However, you are missing a larger point: when you submit your app's APK to request permissions from Facebook, they expect you to use the Facebook SDK for Android when making use of the Graph API. This is mentioned in their conditions for approving permissions.

If you directly use the URLs' to get data, you will not receive permissions. By running your APK and observing the logcat data, Facebook is able to determine whether or not you are using the SDK.

So to answer your second question, Are there any other ways to get public posts from Facebook, the answer is YES, there is the Facebook SDK for Android, and you must make use of that in your app.

Yash Sampat
  • 30,051
  • 12
  • 94
  • 120
  • Thank you for your interest. I'm aware of SDK. I've even configured my project to use it. Just before I found out that I need to make my users to login with their FB accounts to see some of my content. **I think that it is too much to request from my users.** I'm disapointed. – Bart Lizak Feb 23 '15 at 14:27
  • The token generated from the Facebook tools explorer is for educational purposes only. A live app will require a token obtained from a valid user account, and that's only possible when you have user login, along with a permission from Facebook to get the public posts. And you only get that permission if you use the native Facebook SDK :) – Yash Sampat Feb 23 '15 at 14:40
  • Not only that, but every access token has an expiry date, and I highly encourage you not to hardcode an access token anywhere. – Ming Li Feb 23 '15 at 16:54
  • @MingLi: I request your guidance with [this question](http://stackoverflow.com/questions/29276666/send-a-message-to-a-facebook-friend-from-an-android-app) and would appreciate any help from you :) – Yash Sampat Apr 02 '15 at 20:05