Reposting this from my FB feed
##TL;DR Don’t put your FB username and password within mobile apps when you don’t have the native FB app installed!
Today I learnt that the Facebook SDK for Android is very insecure. At first I thought Man in the Middle attacks on the SDK OAuth authentication process is not possible, but if you are embedding someone else’s WebView within your own App via the SDK, you can very well control them, either via Reflection, or just by modifying the SDK code coz FB makes the SDK a public download which you then compile to link in your app. If the SDK does not find the FB app installed on a user’s phone, it resorts to using the fallback mechanism of using an embedded WebView for authentication.
The images below show: the embedded web view login (with the cross mark) and the intercepted username and password. The last image shows the native FB login provided by the Facebook Android App.
If you are interested in reproducing this, apply this diff to your FB SDK WebDialog.java and you will be pretty amused.
An Embedded Web View OAuth Sign in procedure
Actual Android Login is supposed to look this: