You're query is absolutely correct. I'm not sure but the problem could be that you have not urlencoded
the fql query.
You can try this-
string query = WWW.EscapeURL("SELECT uid, name, is_app_user, pic_square FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1 = me()) AND is_app_user = 1");
string fql = "/fql?q="+query;