Major Facebook Security Changes Oct 1 Audit your Applications Now!

On October 1, 2011, Facebook will make a mandatory change to all applications, as per the Facebook Developer Roadmap. Any affected application not updated before the change will become inoperable.

It is imperative that you audit any/all client Facebook apps/experiences in order to ascertain if they will be affected by these changes. Again, these changes must be made to existing Facebook applications (or inserted into current build plans for applications) – if not, these client applications will be rendered inoperable as of OCT 1.

We are sending this out now as the supported toolkits from Facebook were just updated and released and are now ready to be implemented against.

Recommended Audit steps:

  1. Identify and list all programs with Facebook integrations.
  2. Identify programs that will continue to be live after September 30, 2011.
  3. Work with your program’s associated tech resources to identify if program will be affected.

Facebook Security Update FAQ

Why is this happening?

Facebook has recently been the subject of many concerns about the level of security around the exchange of personal information with applications. This is an effort by Facebook to shore up their interfaces to prevent any exploitation.

Is this optional?

Unfortunately, Facebook has made this non-optional. Historically, Facebook has basically had the approach that changes like these have been part of the ‘cost of doing business on Facebook.’ They move fast, and expect you to also.

What will be affected?

Any application on:

  • Facebook Pages
  • Facebook Canvases
  • Non-Facebook site (minisite, client’s .com) using Facebook Connect

and using:

  • IFrames
  • OpenGraph
  • Facebook SDKs
    • Official
      • PHP
      • Javascript
    • Unofficial
      • Java
      • .NET
      • Ruby
      • Etc.

What will not be affected?

  1. Much older FBML applications – predating IFrame switchover.
  2. Site integrations limited to Facebook Social Plugins (Like buttons, Send buttons, etc.) that don’t do deeper Connect/OpenGraph integration.

What changes need to be made?

All applications must have valid SSL certificates and be configured to use HTTPS. This requires acquiring certificates and working with associated IT resources to install on the servers where the program is hosted. These certificates cannot be “self-signed” and must work with any modern browser without it complaining.

Integration code must upgrade to OAuth 2.0 and associated new Facebook authentication:

  • Apps using PHP SDK update to latest official Facebook PHP SDK and make minor code changes.
  • Apps using Javascript SDK update to latest official Facebook Javascript SDK and make minor code changes.
  • Apps using other SDKs must update in whatever manner appropriate.

In the Facebook developer console, under “Settings -> Advanced”, enable “OAuth Migration”.

What do we do if our app is hosted by a social app vendor (Involver, Buddy Media, Wildfire, Vitrue, etc.)?

Reach out to the vendor and ask them if they have a plan in place for the “Facebook OAuth 2.0 and SSL changes”.

It might be an annoying change to have to make but it’s nice to see Facebook putting some thought into privacy protection. What are your thoughts on the upgrade?