I'm creating an android app that allows people to register via Facebook Account Kit.
Facebook Account Kit returns a Token to me after the user has been verified (via SMS).
After this I get the user's facebook id and phone number.
I use the user's facebook ID as a user ID in my application.
At the moment, when I need to get user data from the database and have to show it on the app, I use a hidden field in the app to send the user ID to the PHP file to filter the data.
Many have told me that it is not recommended, they told me to send a Token to the PHP file and then get the user id linked to that token.
I can't understand a few things:
1) The Token must be associated to the user's ID address, could I save them in the same MySql table or could I do it in another way?
2) When the Token expires what happens? I have to log in the user again and save the new Token on the MySql table.
But to do this I will have to specify that it will be saved in the line where the user ID is the same as the user ID and then send the user ID from the app again.
3) To login, I request the phone number and the user ID, I will have to send them from the app to the PHP file that checks whether the user exists or not, but so I return to the initial problem, ie send the user's ID and the phone number from the app to the PHP file.
The user ID and phone number are not saved in the app, but when I need them I request them through the Facebook Account Kit API and insert them in EditText.
Do you think what I do is safe?
Do you recommend a more valid alternative for securing my users' data?
But above all if you have to reproach me for something about my question, do it, maybe I misunderstood the operation of the tokens and what I asked is wrong.
Feel free to tell me what you think.
Thanks a lot.
