android - Provide secure Facebook authentication with my Server

Question

I would like to build a little mobile App (Android and iOS) and a little backend server with a REST Api.

My app users (android or iOS) needs to login on facebook. I do that by using facebooks mobile sdk. When the login has been successful, facebook sdk will return a authentificationToken, that is now on the users smartphone.

The idea is as follows: Whenever my app needs some data, the app will conntact to my server backend (REST) over HTTPS. For example: The app makes a simple HTTP GET and passes the retrieved Facebook authenticationToken. My Server gets this facebook authenticationToken and use this token to determine, if the user is a authenticated and to retrieve facebook profile information (firstname, lastname etc.). So the server contacts facebook too and generate the personalized response for the HTTP GET Request.

My questions are:

1. Is it really enough to pass this facebookAuthentication token for each REST API call, to make the server retrieve the correct associated facebook user?
2. I use HTTPS, so I guess, the connection is encrypted enough, right?
3. I guess I need some signature mechanism so sign each REST API call (over HTTPS) to ensure that the facebookAuthentication token has been sent only from my mobile App. I would do that by using RSA with SHA-1 to sign any REST API call. But the problem with this approach is: that the client need to stores the private key somewhere in the App (for signing requests) and the server knows the public key (for signature matching). Is this correct? If yes, I guess its a big security issue, since a mobile app (especially android) could be decompiled to get the private key. How do I store this private key securely in my app? Is there another system for signing that you can recommend?

Bt: Do you know a good RSA lib for iOS and Android?

Answer 1

1) Yes. It's enough. If your client (mobile app) has a token, it proves that a user authenticated to Facebook. So, you authenticated a user this way. However, it's not enough to authenticate a mobile app (about this, I will talk in #3).

2) Yes. It's encrypted both ways.

3) That's tough one. It's called remote attestation. There are A LOT of problems with this.

Before you go into this direction, you need to ask yourself two questions

• Who are you protecting against?

• How much am I willing to invest?

If you are protecting yourself against a student with very limited knowledge, who may write another mobile app which will use your server then you are fine with a signature.

If you are protecting against just a little bit more sophisticated software engineer (who can reverse engineer your application) - it won't be enough. This engineer can extract a private key from your application and use it to sign requests in his application.

You can read about remote attestation here and here.

Solutions which can protect you from simple reverse engineering are quite complex.

P.S. Regarding RSA library.

Look at this for Android:

Asymmetric Crypto on Android

And this for iOS

RSA Encryption using public key