I’m writing an iPhone app that’s using Facebook Connect. While testing, you normally embed your app secret directly into the code and set up Facebook with this call:
session = [FBSession sessionForApplication:myApiKey secret:myAppSecret delegate:self];
However, for production code it’s recommended to use a session proxy instead of embedding your app secret into your code:
session = [FBSession sessionForApplication:myApiKey getSessionProxy:myURL delegate:self];
I can see how giving away your “secret” is probably a bad thing — it allows anybody to take actions that appear to originate from your app — But I don’t see how using a proxy solves that problem. An attacker can simply point his code to your session proxy. The proxy doesn’t do any kind of verification that the request is coming from your app. In other words, you’re not giving away the keys to the kingdom, but you’re giving day passes to absolutely anybody who asks!
So where is the added security? Are there extra privileges that the app secret gives you that a proxied session does not?
Answering my own question, yes, there are extra privileges associated with the app secret. This page identifies the API methods that require the app secret vs. those that can use a session secret:
http://wiki.developers.facebook.com/index.php/Session_Secret_and_API_Methods