Good day!
On one of our apps list of URLs allowed as redirects from FB login has mysteriously changed. I don't believe in wonders so probably someone has changed them. This change has caused several damages and currently we are discussing blame and damage cover as well as prevention of future incidents with our customer.
Question: can I see somehow who and when changed FB app settings or ask someone in FB support about that? There are many people having admin access to app and without tracking their actions undesired changes will happen again sooner or later.
Thank you in advance
Retroactively, you probably can't.
But you can set your app up to send a notification about any changes that occur, and by whom their are made.
https://developers.facebook.com/docs/apps/security#app-settings-security
Update Notification
In the event that such a takeover does take place, we have built a notification system to expedite discovery and recovery from such takeovers. This notifies relevant individuals when any app settings are changed using the App Dashboard. The notification contains information about what change was made and by whom.
An app can register an email address to which these notifications should be sent in the Advanced tab of app settings.
Related
So we've developed a Facebook App (and similar apps on Twitter and Instagram) that allow users to post and read content using an external system. We'll sell this integration directly to our clients, so it's a private application.
Basically the user will see a very simple page with a button "Log in to Facebook" and a disclaimer regarding the authorization (we'll use some query params fixed in the url, depending on the client). The client authorize us and we capture the access tokens.
To submit the app review, though, we have to explicitly give a test user to the reviewers, but that's not really possible because the real "action" happens within the integrated systems, NOT within the app itself. And those systems are not public (they shouldn't be).
So just to be clear: our app is basically a very simple "Facebook login" that we use to get tokens, generated by specific clients authorization. It's not going to be published anywhere.
Until we have around 5 to 10 clients we can add the specific users in our app as Testers/Admins/etc, but what if we scale up? Say we have 20 clients. How are we supposed to get our app to be "live"?
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
(btw I'm asking this because our app review was rejected twice and I want to make sure I'm submitting everything they ask this time).
Thanks :)
I think the Login Review FAQ answers most of your questions. The key point:
Our review team will actually test how your app uses each permission on every platform you have listed in the settings section of your app.... You'll need to explain exactly how to test each permission or feature in your app so that we can make sure it works and follows our policies. We can't approve your app if we can't fully test how it integrates with Facebook.
In other words, it's not enough to just allow them to log in to your app, you have to expose all Facebook-related features to the reviewer.
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
Yes, though I'm not sure what you mean by "open them to the internet". You should be able to create a test user on your local system and link that account to a test Facebook user. Then you can have the Facebook reviewer use that test account for their review. (From the FAQ: "In the Items in Review section, you'll see a Test User (optional) section that allows you to type the name of the user you wish to be used in your review.")
Facebook, a multi billion dollar organisation won't fork out for some live chat agents. Instead I'm stuck in a loop asking for approval, them not reviewing my app properly and giving me a cut/paste response. They say they monitor here, so here's hoping.
Nobody but me will ever use my app. It's a PHP page that posts to our radio station's Facebook page timeline www.facebook.com/BCnowplaying every hour or so, music that's playing on Budgie Collective.
We don't want to spam, this is why the nowplaying page is separate to our normal page.
The app works. All it does is grab a token, store it and post info to the page periodically.
I asked for permission to mention pages. And it was like I divided by zero. I only want this to mention pages of the DJ that compiled the mix that's on air (which is a sanctioned mention, as they have asked for this)... so that when their mix comes on, they are notified.
When I ask for the app to be granted this ability, I get told to show how the public will log in and use the app, and to give sample user accounts. Of course I have explained all this when requesting the permissions. But I keep getting knocked back. Nobody will talk to me directly and every time I re-explain and submit, I have to wait for several days to be given an answer that has nothing to do with how my app works. It's like they aren't even reading the submission.
What can I do next?
Since you're the only one using the application, there is no need to apply for approval. Owners of the application can already use the permission without going through the submission process.
By asking for approval you are basically telling Facebook that you want the public to use the mention feature as well.
So the solution here is to use the app as is and just change the settings to public in Settings > Status
Do you want to make this app and all its live features available to the general public?
Switch to yes.
I'm writing an app for a retailer, but my client wants that once that the user has logged in the app does not let him/her log out.
My question is: Is this a permitted behavior on Apple apps? Will it get rejected? I've been looking up for a policy related to this, but haven't found anythin that either allows or denies this.
Thanks in advance.
You cannot prevent the user from just killing the app. But she does not necessarily be logged out. If you mark her as "logged in" by means of some persistant store (such as user preferences), you can have him be logged in automatically next time she starts the app.
This is a design that I have seen in many apps. I do not think that it would get you rejected. The user would have to delete the app completely to log out.
One possibility: put a "change login" option into the preferences. At least on iPhone, that is very far away from the app, at the bottom of the settings app which most users never find. Even then you could only let the user be logged out completely once she is logged in with a different valid login.
My recommendation: don't take the control away from the user. Explain to your client that there is a balance between marketing necessities and the danger of annoying important customers who might unduly amplify negative sentiments. Accomodate the needs of your client by making it a bit tedious to log out - but not more.
I need to develop an iPhone/Android app in which users can share their friend's online/offline status in real time.
When a user launches the app, the app shows which user is online. If someone changes the status, the other users can know this change.
This is almost the same function of Skype online/offline notification.
How can I implement this functionality? (I think maybe I should use Apple Push Notification Server for the iPhone app.)
Does anyone know any tutorials, example/similar code, or any other useful references?
Push Notifications are not a good ideea. They are not real-time. The best way of implementing the needed behaviour is to have a thread polling the server (and will also work with any mobile/non-mobile OS).
On the server you should have 2 services:
(1) one that retrieves your friend list initial statuses and stores it
(2) another (the one that you poll) that only returns the statuses that changed meantime
You can implement if-modified-since on the (2)nd service so that your information exchange could be kept at a minimum.
Hope it helped
I know about test accounts, but during beta I'd like to allow access only to my friends, and then later friends-of-friends, and then only eventually Kevin Bacon and his friends.
That would probably suck, wouldn't it? The app would be listed (is there a way to prevent listing?) and someone I don't know might try it and get a "sorry, this is in development message." I imagine they'd be irritated and not come back.
From what I've read, only a few apps take off, but when they take off, they REALLY take off. Do developers just release these things fully baked?
Anyone start out with OpenSocial or other smaller-than-Facebook networks?
Any ideas for a soft, gradual, restricted roll-out?
Once you've set up your application, there is a setting in the Developer application control panel for your app: Your app -> Advanced -> Sandbox Mode.
Sandbox mode lets you restrict access to only those people listed as developers (under the Basic section).
In terms of expanding the app, Facebook doesn't provide much more flexibility that the Sandbox mode. Unfortunately, adding everyone as Developers of the app doesn't work very well for a beta, as people can access the application control panel once they are a developer. I ended up putting a whitelist of Facebook Ids into the front controller of my application for a previous beta, and it worked fairly well.
The apps are only listed in the App Directory if you submit them and they are accepted. There's no issue about preventing listing, it's something you have to apply for.
As for restricting users, you can accomplish it with a script in the application that checks whether the currently logged-in user is within your restricted user set. For example, if you only want friends of yourself, check whether the current user is friends with your user id. If not, simply display an error/message page or redirect them to the Facebook home page (or wherever). Add this check to the rest of the start-up logic run each page (such as connecting to your DB and authenticating with Facebook).
What I have done in some cases is keep a database table with the user id's of users who are allowed access, essentially a "whitelist". If the user isn't in the table, redirect them.