We have a user that sounds like they had their MySpace account broken into by someone who has copied the url to their game provided by MySpace when launching it from the canvas iframe, the URL looks like below missing parameters and some other values:
api.msappspace.com/apprendering/../canvas/../../render.app
Once you have access to that link it appears that you do not need to be logged in to MySpace to play. I assume that the first parameter passed through is an opensocial token that is used for authentication, is there an expiry time for this? If not, how can we tell on our end that it is accessing an older iframe link?
Currently to see if the user is installed we read the viewers data, if it comes back without error we proceed to allow access to the app/game.