Facebook acknowledges testers exist!

Yesterday, Facebook made a pretty significant announcement for developers of Facebook applications. The announcement involved assigning roles for people on the application development team, and defining what they can and cannot do. As far as I know, it’s the first real acknowledgement by Facebook that Platform application development has moved mainstream and is no longer solely being done by guys in their basements (or lofts – this is Facebook after all). Traditional development teams building Facebook apps using traditional software lifecycle concepts are popping up everywhere. I’ve even see teams build apps on the .NET platform, as unlikely as that seems.

Facebook application development teams have always needed to register who was on the team with Facebook, so that those people could access, build, and test the application before it was released to the greater public. The problem was that belonging to the team was binary – you were either in or out, and only those that were in could access the pre-released app. However, all of the team members could view and modify the Application Secret, change the app’s URL, or throw everyone else on the team off. It didn’t matter what your actual job was, if you were on the list you had absolute authority.

The new Developer's Role dialog

Facebook has now changed that by allowing you to define the roles for the people on your dev team, and thereby limit what they can and can’t do. Here’s a list of the roles you can assign:

• Administrator – complete access to the application and all its settings
• Developer – can modify all technical settings and access Insights but cannot reset secret key, delete application, or add additional users
• Tester – can test the application in sandbox mode but cannot modify the application
• Insights User – can access Insights but cannot modify the application

This is great news, and is a step in the right direction to show that Facebook application development is growing up. I’ve done some consulting on testing Facebook apps, and have always been uneasy when I’ve been added as an applications “Developer”. I always felt uneasy about getting exposure and access to a company’s crown jewels, and asked to be taken off the list as soon as the gig was up. Now, I can be added as a “Tester” and gain access to only those priveleges that I need.

So let’s hope Facebook continues along this thread and provides more tools and services that acknowledge that Facebook application development is being done by teams that have real needs. For example, a real development team will want to stage any code changes before making them live (just like what Facebook does with the Beta Tier). Unfortunately, the only way to test this beta code is to register another application with Facebook so that the production and beta code can run in parallel. But registering a new application will cause a new Application ID/Secret to be created. This means that once the beta code is proven to be good it will have to be modified in order to be run as production. Bad bad idea, but it’s the only way that Facebook will let you do it. It would be nice if Facebook would provide some easy ways to deal with things like this, as well as other difficulties that large dev teams certainly encounter. Facebook – give me a call, I have lots of other ideas.

So what would you change to help your development team interact with the Facebook Platform more easily. Leave a comment to let us know.

Big changes coming to Facebook Platform

Today’s Developer Roadmap post by Facebook has outlined some big changes coming down the pike for Facebook Platform. Here are the big 3 changes (well, as far as we see them):

No new FBML apps

Facebook will no longer accept new FBML Canvas applications by the end of the year. These are the types of applications that launched the Facebook Platform way back in 2007 (the same year that saw the iPhone and The Simpsons Movie). FBML apps have a lot going against them, most importantly is the fact that there’s really no good reason to write them anymore. It used to be that developers who wanted to write Canvas applications had to choose between FBML and the simpler but not-as-powerful IFrame method.

But IFrame has now caught up and surpassed FBML in terms of power, so there’s really no reason why a developer building a new application in 2010 should even consider using FBML. There’s also another issue at stake here. FBML Canvas apps require all of the data traveling between a user’s browser and the application itself to be routed through the Facebook servers. This is a legacy design from 2007 that was done to give Facebook more control, and allow for user authentication, but it’s costing Facebook a lot of money to run these servers that do very little but act as proxies.

Since new FBML Canvas apps no longer provide any real value, and they cost Facebook a lot of money to support, Mr. Zuckerberg et. al. would like to just sweep them under the carpet. Looks like that’s what they’re doing.

Parts of the Classic REST API are being deprecated

Whatever we said about FBML apps is doubly true of the Facebook “Classic” REST API. Born in 2007, it now looks like patches upon patches with no coherent vision. It’s been so far surpassed by the Graph API that Facebook never even bothered to mention any non-Graph API support for their very important location updates yesterday. It’s been clear for a long time that this API needs to be put to rest, and deprecating parts of it is definitely the beginning. We can all say Amen.

OAuth 2.0 will be required for authentication

Another nail in the Classic REST API coffin. OAuth 2.0 goes hand in hand with the Graph API that Facebook would like to push everyone towards. Enough said.

Facebook has historically moved very quickly, which contributes to a good part of their success. Moving quickly means getting things out to customers quickly rather than perfectly and dealing with the consequences later. Today’s Developer Roadmapupdate is a good example of how to deal with those consequences, and will ensure that Facebook developers will continue to have loads of things to do as Facebook continues to innovate.

Why is an Application Secret secret? (Part 1)

Facebook Application Secrets, along with API Keys, are familiar to Facebook developers – we copy them into our source code so that our apps can connect to the Facebook servers, but do you know their role in the Facebok platform, and how they work?

What’s an Application Secret for?

The Application Secret has two main purposes:

• Mutual authentication between the Facebook servers and your application
• Ensuring the integrity of the data passed between them

These benefits look a lot like the benefits of using SSL, although SSL adds the additional benefit of data encryption. And yes, SSL is typically authenticated only one way (server to client), but client-side certificates allow that authentication to be mutual. If you’re a little shaky remembering what SSL is all about, you can refresh yourself here.

So why did Facebook engineers choose not to simply use SSL to communicate with applications? Why did they instead create a rather baroque system that relies on Application Secrets?

Why is authentication important?

Clearly, ensuring that any passed data has provable fidelity is very important. But why do we authenticate? Who would try to impersonate the Facebook servers or an application? Let’s take a look at the reasons to authenticate in each direction, and we’ll see why it’s so important.

Authenticating the Facebook Server to the Application

There’s very little value for a hacker to try to convince your application that his server is a part of the authentic Facebook infrastructure. In fact, the only reasonable attack is a Denial-of-Service attack to try to shut your application down (from perhaps a competitive application). If a hacker  who learns the URL of your Canvas application (i.e. the Canvas Callback URL) pretends to be the Facebook server, he could launch loads of requests to your application until it becomes saturated and crashes. Of course, your app can detect this because only the real Facebook server can authenticate itself to your application with your Application Secret.

Aside from this, it’s hard to imagine why anyone would launch an attack pretending to be a Facebook server. Perhaps hackers are more creative and will come up with reasons to do this, but they won’t get past the authentication stage.

Authenticating the Application to Facebook

In contrast, there are many reasons  that a hacker can try to impersonate a popular Facebook application. Without authentication, the hacker can easily run a man-in-the-middle attack by positioning his application between the Facebook servers and the authentic application. Then the hacker can alter any data that the application creates that is destined for the application user’s browser. If the attack and data is malicious, this can damage the user’s computer, as well as the application developer’s reputation if the modified data displeases the application user. Of course, since all the mischief goes on behind the scenes, disconnected from the user’s browser, there’s no simple way for him to know that anything has gone wrong.

Additionally, without authentication, a masquarading application could asynchronously query the Facebook server to get all of the private information that a user has shared with the application. The user opts in to share this information with a known and trusted application – he doesn’t expect it to be available to some hacker who gets it by devious means.

So keeping your Application Secret secret is pretty important. Important enough that Facebook forbids you to share it (Section 3.7 of the Developer Policies). In our next installment, we’ll discuss the dangers of Application Secrets, and how hackers can attempt to get yours.