I'm developing for Android and currently use facebook-android-sdk for authentication. From what I can see there is no use of the app secret in that code which is great.
Now that Facebook are going to remove the offline_access permission I need to extend the access token. Unfortunately the sdk's extendAccessToken method isn't stand alone and requires the official Facebook application to be installed which is unacceptable for me.
So I decided to implement extendAccessToken directly (similar to the iphone sdk implementation). The problem is the HTTP request for extending an access token requires the client_secret field which means I need to put the app secret in the code itself. This doesn't feel safe at all for an Android/Java application that can be reverse engineered easily.
Are there any alternatives?
Why not host the code for doing this on your own server, and have the client extend the token via a call to your server?