android - How does Facebook verifies mobile apps

Question

Assume that you build a native android app which uses Facebook login. For that first you have to build a Facebook app and configure Package Name, Class Name, Key Hashes of your android app. I assume the authenticity of app is validated through this Key hash. but the problem is after we configure this key in Facebook app, we never configure it in our mobile app or send it to Facebook when we make API calls. So how does the Facebook validates that this is the original app which is making the API call?

Answer 1

Whenever you put an app onto a device (whether via eclipse/IntelliJ or by building a .apk) you're signing it with a key. When you log in via Facebook using SSO, the native Facebook app can get the signature of the calling app, and passes it to the server to get verified.