Facebook Application Secrets, along with API Keys, are familiar to Facebook developers – we copy them into our source code so that our apps can connect to the Facebook servers, but do you know their role in the Facebok platform, and how they work?
What’s an Application Secret for?
The Application Secret has two main purposes:
- Mutual authentication between the Facebook servers and your application
- Ensuring the integrity of the data passed between them
These benefits look a lot like the benefits of using SSL, although SSL adds the additional benefit of data encryption. And yes, SSL is typically authenticated only one way (server to client), but client-side certificates allow that authentication to be mutual. If you’re a little shaky remembering what SSL is all about, you can refresh yourself here.
So why did Facebook engineers choose not to simply use SSL to communicate with applications? Why did they instead create a rather baroque system that relies on Application Secrets?
Why is authentication important?
Clearly, ensuring that any passed data has provable fidelity is very important. But why do we authenticate? Who would try to impersonate the Facebook servers or an application? Let’s take a look at the reasons to authenticate in each direction, and we’ll see why it’s so important.
Authenticating the Facebook Server to the Application
There’s very little value for a hacker to try to convince your application that his server is a part of the authentic Facebook infrastructure. In fact, the only reasonable attack is a Denial-of-Service attack to try to shut your application down (from perhaps a competitive application). If a hacker who learns the URL of your Canvas application (i.e. the Canvas Callback URL) pretends to be the Facebook server, he could launch loads of requests to your application until it becomes saturated and crashes. Of course, your app can detect this because only the real Facebook server can authenticate itself to your application with your Application Secret.
Aside from this, it’s hard to imagine why anyone would launch an attack pretending to be a Facebook server. Perhaps hackers are more creative and will come up with reasons to do this, but they won’t get past the authentication stage.
Authenticating the Application to Facebook
In contrast, there are many reasons that a hacker can try to impersonate a popular Facebook application. Without authentication, the hacker can easily run a man-in-the-middle attack by positioning his application between the Facebook servers and the authentic application. Then the hacker can alter any data that the application creates that is destined for the application user’s browser. If the attack and data is malicious, this can damage the user’s computer, as well as the application developer’s reputation if the modified data displeases the application user. Of course, since all the mischief goes on behind the scenes, disconnected from the user’s browser, there’s no simple way for him to know that anything has gone wrong.
Additionally, without authentication, a masquarading application could asynchronously query the Facebook server to get all of the private information that a user has shared with the application. The user opts in to share this information with a known and trusted application – he doesn’t expect it to be available to some hacker who gets it by devious means.
So keeping your Application Secret secret is pretty important. Important enough that Facebook forbids you to share it (Section 3.7 of the Developer Policies). In our next installment, we’ll discuss the dangers of Application Secrets, and how hackers can attempt to get yours.