Making your Facebook app more secure

The single most important way to make your Facebook app more secure

Aug 14, 2014

If security is an afterthought for you while you develop, let's see how a few big names that have big resources to put into security are doing with protecting their user's data:

And remember how a little bug in OpenSSL made millions of server vulnerable to attack?

Even Facebook has had its fair share of major security issues.

Back in 2010 before Facebook required users to browse behind an SSL it was very easy for an attacker to easily hijack user's sessions.

And last month (July, 2014) an exploit was found in the Facebook Android & iOS SDK's that exposed the logged in user's access token in mobile apps.

There are things we can do as Facebook app developers to minimize the impact that these exploits have.

A quick review of access tokens

When you make calls to the Graph API you use an access token. An access token is very similar to the PHP session ID in that it is a unique identifier that represents a state, such as "Billy Joe is logged in".

Every request that you send to Graph with Billy's access token, Graph will assume that Bill is the one who is "doing the talking" so-to-speak.

Session hijacking an access token

Let's say Billy's access token is i-am-billy-Eose0c. We think we're doing a good job of keeping that access token from prying eyes but somehow an attacker acquires Billy's access token.

Now the attacker can send any request to Graph with access_token=i-am-billy-Eose0c and perform commands on Billy's behalf. That's called session hijacking.

How to prevent access token session hijacking

And now for the single most important way to lock down your Facebook app.

Sign every request to Graph with an app secret proof.

An app secret proof is a one-way encrypted hash of the access token and app secret. You can obtain the app secret from your app dashboard.

The app secret proof is hashed with sha256. In PHP, we use hash_hmac() to achieve this.

$proof= hash_hmac('sha256', '{access-token}', '{app-secret}'); 

After you calculate the app secret proof, you can send it along with the access token in each request to Graph with appsecret_proof=my-proof.

How to enable app secret proof

Unfortunately, for whatever really strange reason, app secret proof feature is disabled by default when you create a new app. Please change this default behavior, Facebook!

To enable the app secret proof for your app, go to your app dashboard.

  1. In the column on the left click on Settings.
  2. Click on the Advanced tab.
  3. Scroll down to the Security section.
  4. Find the toggle for App Secret Proof for Server API calls and click it to enable it.

Now if you try to send a request to Graph without the appsecret_proof parameter, Graph will return an error message.

API calls from the server require an appsecret_proof argument

And that's the error message the attacker will see even if he has Billy's valid access token since he/she doesn't know your app secret and cannot calculate an app secret proof to sign the request.

Bam! Take that evil attacker a-hole!

But keep in mind, this why you need to keep your app secret under big-time lockdown. Make sure you never use it in the URL. If you need to share it with other developers working on your project, only send it to them via a secure method.

If your app secret ever gets leaked, you'll need to go to your app dashboard and reset it.

The app secret proof in the PHP SDK v4.0

What's nice about the PHP SDK v4.0 is that it automatically sends the app secret proof with every request right out-of-the-box. The only thing you have to do is turn the app secret proof feature on for your app as described above.

Going further

Enabling the app secret proof is easily the most important thing you can do to make your Facebook app more secure and better protect your user's data. But it is by no means the only thing you can do.

Here are a few quick tips to lock down your Facebook app even more.

  1. If you ever expose the access token in the URL on the client side, make sure it's always a short-lived access token.
  2. Treat your app secret like your social security number and think twice before giving it to someone working on your project.
  3. Turn off stuff you're not using in your app settings.


In this day & age, prioritizing security while you develop is no longer just for the paranoid programmer. It's for you. You have an obligation as a developer to protect your user's data.

Never stop learning about how to make your code more secure. You'll be a better developer because of it and your users will be more protected.

Be a hero. Protect yourself and your users.

If you found this guide helpful, say, "Hi" on twitter! I'd love to hear from you. :)