Or if you must, use their oauth flow and API but _don't_ include code of theirs you don't control directly in your binary. It's just asking for trouble.
It's unfortunately against Facebook's Developer Policy (if you're offering "Sign In with Facebook" functionality). To use that capability you are required to use the official SDK! I filed a (probably futile) issue with them here: https://github.com/facebook/facebook-ios-sdk/issues/1437
Yes, Facebook requires that any mobile app using Facebook login do so via their SDK. Presumably they will disable your Facebook app (breaking login) if you don’t comply.
They told us that explicitly. We had been using the URL-based login on the app (i.e. open a browser with the URL and use the redirect to continue logging in), for almost two years. Then about a year ago, they e-mailed us just before a holiday and told us we had less than a week to move all of our apps to SDK otherwise they'd just disable us. Their argument was that "it's not providing the best possible experience to our users". There hadn't been a single complaint about it though.
We had nearly 100,000 users logged into our app via Facebook login so we were basically strongarmed into complying. We somehow pulled it off before the deadline for both Android and iOS but felt really dirty afterwards.
Or if you must, use their oauth flow and API but _don't_ include code of theirs you don't control directly in your binary. It's just asking for trouble.
https://news.ycombinator.com/item?id=23099788