In light of the Firesheep exploit, does anyone know what protocol the Facebook for Android app is using?
A:
It depends on the particular API call you are making. However, any call that includes an access token to either Facebook's rest or graph API must be over SSL. Facebook will deny the request from their server if you include an access token over a non-secure request. The only api calls that wouldn't be over SSL are ones that access publicly available information such as http://graph.facebook.com/zuck/. This isn't specific to any single Facebook client SDK, this applies to any client accessing Facebook's API servers.
Nathan Totten
2010-10-26 22:34:09
Thanks, that's exactly the kind of info I was looking for. After thinking about it, I decided it wasn't vulnerable to Firesheep itself, since Android sessions don't show up in my FB session list. But's it good to know the FB API uses a secure connection. (Now why haven't they been doing that with the web UI? Hopefully that will change soon.)
vanmelle
2010-10-27 23:05:10