Leaked OAuth App Secret (Facebook)

This information is intended for developers of apps that have embedded the Facebook App Secret in their apps.

Knowledge of the secret is tied directly to special access to data that users might have granted to the application. If compromised, the App Secret can be exploited by an attacker to access user’s data that your application has been granted access to.

We recommend that you update your app to implement Facebook’s recommended implementation strategy and SDK. You can find implementation details on Facebook developer support page here.

Next steps
1. Update your app to not embed the App Secret.
2. Sign in to your Developer Console and submit the updated version of your app.
3. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. 

For other technical questions, you can post to Stack Overflow and use the tag “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

Note that apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

Was this helpful?
How can we improve it?