Yes, Justin, you can see, but there is nothing secret there :-) The "app secret" is used to build a query to Facebook/etc. to get data.
The "app secret" is appended to the "query string" and a hash is produced. If you sniff the resulting hashed data from the network - you win nothing as attacker. But if you get the "app secret" from the app - you can impersonate other users and send queries to Facebook/etc. on their behalf. Regards Alex On Fri, Feb 28, 2014 at 9:07 AM, Justin Mclean <jus...@classsoftware.com>wrote: > If the secret is stored in the client you may have to even decompile to > app to get at it, just use a reverse proxy and you can see everything sent > backward and forwards even if the app is using SSL. >
