Here is a thought:
Once you authenticate the user in your iOS app, get the access_token
, and pass only this in your REST call to your server.
On the server side, make a request to https://graph.facebook.com/me?access_token=...
using the access_token
that you transmitted. If the access token is valid, you will get all the the user's data proving that you have a valid, authenticated user.
If you wanted to be extra sure, you can also request http://graph.facebook.com/app?access_token=...
to be sure that the access token was created by your app.