Google zoeken:
It depends on the particular API call you are making. However, any call that includes an access token to either Facebook's rest or graph API must be over SSL. Facebook will deny the request from their server if you include an access token over a non-secure request. The only api calls that wouldn't be over SSL are ones that access publicly available information such as http://graph.facebook.com/zuck/. This isn't specific to any single Facebook client SDK, this applies to any client accessing Facebook's API servers.
Dan is het natuurlijk ook nog de vraag of de app het certificaat wel op geldigheid controleert. Dat is iets wat je zou moeten testen