Android facebook sdk : Login works without proper key hash -
i have created android sample app in developers.facebook.com haven't provided key hash in settings. if try login in sample fb app installed gives invalid key hasherror expected.
however, if disable facebook app, opens webview
overlay default , login works fine without error. shouldn't security issue because if hacker gets access app_id
can create own app same app_id
, use login through fb. helpful if can explain security issue.
using webview, there's no ability enforce sending of key hash since sdk open source, , can modify source code (meaning can override whatever key hash sdk generates).
during login, user still see name , icon of app they're authorizing, , presumably notice 1 they're authorizing not 1 have opened. there may limitations of access token obtained webview.
Comments
Post a Comment