I'm developing a webapp+android app that has its own registration flow - simple authentication using email and password.
I easily integrated the facebook login from the website, following the second scheme in this page.

Now, I need to 1-click authenticate the Android application with facebook. The main point is that, after the Android app is authenticated, i need to send from my server some specific cookies that are needed for permissions checks when the user wants to do some operations.

The problem is that I cannot authenticate through the facebook token: from what i see, the token would work even if it was taken from another application, so I cant send private data trusting only the fb token (even if it was sent by SSL), since it could be another app pretending it's the user. Is there any registration flow similar to the one above for authenticating android apps?
Or there is any advice to overcome this issue?

Ok, facebook has fixed this by deprecating the offline_token and providing a longer access token from the client. This Token can be validated server side against my app id and app secret with this new endpoint:

https://graph.facebook.com/oauth/access_token?             
    client_id=APP_ID&
    client_secret=APP_SECRET&
    grant_type=fb_exchange_token&
    fb_exchange_token=EXISTING_ACCESS_TOKEN 

so I can be sure about the user identity.