Facebook App Type: Which one to pick for mobile AND web?

borisdiakur picture borisdiakur · Jul 23, 2012 · Viewed 10.7k times · Source

In the Facebook App Settings ☞ Advanced ☞ Authentication I can pick "Web" or "Native/Desktop" as App Type. The info bubble says:

Only select Native/Desktop if you are a Native iOS or Android app, device, or Desktop app

Actually I am none of those but my app is a Native iOS App as well as a Facebook Page Tab.
Question: Which App Type should I pick?


I did some research and found the following in the Facebook Android Tutorial (under Troubleshoot):

  • App type Web vs Native/Desktop. Does it matter?: No, it does not matter. However it's recommended to use the type 'Native/Desktop' for your app.

What does it mean it does not matter? That does not make sense to me. Why should I have a choice then?

I did some more research on SO and found this statement by @Igy (dev support engineer at Facebook):

If the app's type is set to 'Native / Desktop' it's assumed you distributed the app's secret key with the binary, and thus the app access token isn't trusted (and 'getAccessToken' in the PHP SDK will only work when real users log in, it can't fall back to the app token)

Finally I found this in the Facebook documentation:

Note: Applications that are configured as Native/Desktop apps will not be able to make API calls that require an application access_token.

I do need to make API calls which require an access token from my page tab app, hence my conclusion is to pick "Web" as the App Type, although I'm having a native iOS app using the same app ID as the page tab app. But will that have any drawbacks on the iOS app?

Answer

Igy picture Igy · Jul 23, 2012

TL;DR: use 'web' unless you're putting the app secret into the iOS / Android binary

The primary difference (and also the reason that it says 'it doesn't matter' while also giving a recommendation) is that if you choose 'native/desktop' mode, it's assumed that you distribute the app binary with the application secret embedded and the app secret is considered untrusted.

In this configuration, API calls which use the app secret (e.g. creating test users, making API calls on behalf of the app itself like changing app settings, posting achievements, etc) will not work.

If your app doesn't need to use the app secret / app access token, setting it to native/desktop increases the security somewhat as there's one less attack vector for your app.

If you're distributing the app secret with your code you MUST use that option or users could easily determine the app secret and hijack the app itself.