5 Steps to Dramatically increase the Security of Your Facebook Development Setup

Beside the fact that every serious web developer should take some time to protect their app against attacks like XSS and SQL injections, many developers forget about protecting the app on Facebook and their own Facebook profile as well. In this quick tutorial I will show you 5 easy steps to increase the security of […]

Beside the fact that every serious web developer should take some time to protect their app against attacks like XSS and SQL injections, many developers forget about protecting the app on Facebook and their own Facebook profile as well. In this quick tutorial I will show you 5 easy steps to increase the security of your Facebook apps and accounts significantly.

One of the biggest advantages of the Facebook Platform is its ease of use. Most developers already have a private Facebook account and therefore can create a new Facebook app within a few seconds/clicks in the Developer Dashboard. Developers tend to keep it short – they fill out the “basic” section with the required urls and after saving these settings, they never ever have a look at the Developer Dashboard again. When talking about Marketing apps, it’s even worse: Right before launching a new campaign, the developer usually requests & receives admin permissions to the client page in order to install the tab app. Then the campaign starts and suddenly everyone forgets about the poorly configured Facebook app and the developer’s new admin rights because the next project is already in the pipeline and everything seems to work as expected. the buzz works!

The advanced configuration of the Facebook app as well as the developer’s Facebook profile itself often remains untouched. But these aspects shouldn’t be disregarded at all. If you don’t set up your development environment securely, following problems can arise very quickly:

  1. If someone has access to your account, App-Details could get spyed out (e.g. the app-secret, which is listed in the developer dashboard, which could potentially be abused, f.e. to send notifications to users)
  2. Changes to app-paths could be made, which could redirect the apps’ traffic to another server
  3. Further admin users could be added, or previously added users could be removed = complete loss of the app
  4. Complete Facebook App could be deleted (of course this effects only the Facebook app, not the data you save on your own web servers)

If you were also added as a page admin to install the page tab, there could be even more severe risks:

  1. Creation of new unauthorised/unserious/spam/scam posts
  2. Removal of old postings/comments
  3. Removal of all legitimate admins = complete loss of page
  4. Worst case: the scheduling of page-deletion

Now that you know what the worst problems could be, let’s see how we can increase our own profile or Facebook app security within 5 easy steps:

2 Factor Auth / Login Approvals

Don’t rely exclusively on your password which you may also use on other websites as well. Activate Facebook’s 2 Factor Auth (aka Login Approvals). Two factors meaning that if  you have entered your password to a yet-unknown browser/app/computer, you have to enter a second, additial confirmation code. You can grab this code either automatically via SMS or by using the Facebook native app on Android/iOS. The method to login with 2 factors is, of course, more time consuming, but one of the best ways to prevent unauthorised access to your account. You can find the Login Approvals within the security-section of your Facebook profile.

The mentioned 2 factor auth works only in yet-unknown browsers/apps. If you log in to your own machines, no second confirmation is needed. By the way – when talking about your own computer: Why not log out from Facebook after work to secure your office computer as well? The best part: Facebook offers you a graphical present when logging out. So, when was your last time you have seen the “Logout Experience“?

Development Groups

It’s a common use-case scenario in companies domains or in server-configs, but not widely used within Facebook App configurations: The use of groups for developer roles. Most of the developers tend to add specific users to the built in roles (admins, developers, testers, insight users) directly. But there’s a better solution for this: Simply use Facebook Groups to add specific role memberships. The subsequent addition/removal of users is dead easy and saves you a lot of time. (think of the time you need to remove a user from one group instead of the removal from 200 apps). In addition, the management of insights users (which tend to be client-accounts and not always connected to you) via groups is really comfortable and worth mentioning.

Restrict the access to development settings via IP

Facebook itself provides really useful functionality to limit the access of developer settings. The following two points should be used for every app you build:

  • Update Settings IP Whitelist: If filled out, only users with specific IP-addresses (think of your office-IP-address) can change all app settings
  • Update Notification Email: If filled out, all changes to app-settings are summed up by e-mail, which also contains the originating IP-address/Facebook user, who made the changes

Find these settings in the “Security”-Section within the “Advanced”-tab in the Developer Dashboard of your app.

Don’t be a Page Admin of your client’s page

In german there’s the proverb “Too many cooks spoil the broth” and I think it’s the same when doing community management. The more admins a page has, the more problems can arise. If a developer account got hacked, it’s only a matter of time that an attacker finds out about the pages, the account is administering. As described above, this can cause real damage to your clients page!

Fortunately, there’s no reason at all, why a developer account should be granted admin-rights to a page of a client. There are a ton of ways to install a tab app to a page which can be done by the client themselves:

A separate “Fake”-Account for Development

Last, but not least. Don’t get me wrong with this one! According to the Facebook Community Standards, you should never ever use a fake identity:

Claiming to be another person, creating a false presence for an organization, or creating multiple accounts undermines community and violates Facebook’s terms.

Because I always try to comply to Facebook terms, I personally don’t have a second account. But when it comes to a security point of view, it could truly be a game changer to isolate your developer account from your own, private account, which you use outside of your office for your own social stuff (or for using any third-party-apps).


At first sight, security always is a millstone around someone’s neck. Security costs time. In the end, it’s worth every second! The mentioned steps cost you approximately 10-15 mins per project, but can save you a lot of time & headache in the future. It’s simple: The more time that you invest in your security, the more time a potential hacker needs to compromise your app/account.

So, all alarm signals should flash, if you’re currently not using any of the techniques described above. Stop being a dirty app dev and start being a MOAR reasonable and security aware Facebook app developer now! Your clients and your users will appreciate your efforts!

About Author

Johannes Nagl

Johannes is CTO here at Die Socialisten and always looking for ways to optimize his code. He thinks that the best moment to start something is always now. Follow Johannes on Twitter, Facebook or Google+!

Facebook Twitter Google+ Foursquare SlideShare