Is Facebook Client-Side Flow Authentication Secure?

To perform user authentication and app authorization in my desktop application, I follow the documentation given on http://developers.facebook.com/docs/authentication/ page.

This is what I do in my app:

1. Create a dialog with embedded web browser navigating to`https:// www.facebook.com/dialog/oauth?client_id=<my_app_id>&scope=offline_access&redirect_uri=http://www.facebook.com/connect/login_success.html&response_type=token URL.

2. If all goes well (user logs in and authorizes my app), I extract access token from the redirected URL and store it assuming that the value obtained is a long-lived token (notice the offline_access permission).

QUESTION 1: Does this all means that anyone who finds out my app-id and access token can misuse this information?

I mean getting the app-id is simple enough considering that my app is .NET based (Reflector anyone?). And getting to access token even if I encrypt it or whatever is not impossible.

QUESTION 2: How would I make thi开发者_StackOverflows whole process secure enough?

Yes, I would imagine this could be a security issue; not with your application, but with Facebook itself. Even if you were to encrypt your key, there would need to be a method through which the application decrypts the key (for example, the key would have to be stored somewhere in the application). Another issue, assuming the encryption was perfect and unbreakable, someone could still:
a) Extract your access token from RAM while it is in transit
b) Possibly use a SSL interceptor program to create a fakesigned certificate, and decrypt the access token. However; what is the likelihood of someone actually doing that? Why would they WANT to do that?