Server API security #40
Description
Currently, all requests from the android app to the server use the access_token from Facebook, which we are using to identify the user. We are not using authenticity_token which I think Devise gives us, so we had to disable the CSRF checks that Rails does.
This is definitely not the most secure, so at some point we need to fix this.