I have created a android sample app in developers.facebook.com but I haven't provided any key hash in the settings. Now if I try to login in my sample with fb app is installed it gives the invalid key hasherror which is expected.
However, If I disable the facebook app, it opens a
webview overlay by default and login works just fine without any error. Shouldn't this be a security issue because if any hacker gets access to my
app_id he can create his own app with same
app_id and use it to login through fb. It would be helpful if anyone can explain about this security issue.