I have created a android sample app in developers.facebook.com but I haven't provided any key hash in the settings. Now if I try to login in my sample with fb app is installed it gives the invalid key hasherror which is expected.
However, If I disable the facebook app, it opens a webview overlay by default and login works just fine without any error. Shouldn't this be a security issue because if any hacker gets access to my app_id he can create his own app with same app_id and use it to login through fb. It would be helpful if anyone can explain about this security issue.
Using a webview, there's no ability to enforce the sending of a key hash since the SDK is open source, and anyone can modify the source code (meaning they can override whatever key hash the SDK generates).
During login, the user will still see the name and icon of the app they're authorizing, and presumably will notice that the one they're authorizing is not the one they currently have opened. There may also be some limitations of the access token obtained from a webview.