Fighting Meta for 30 Days
You’d think getting a simple Facebook app approved in 2025 would be like filling out a form and uploading a screencast, right? Oh, sweet summer child.
What I thought would take a day turned into a month-long saga of circular emails, blocked test accounts, and so much irony I could taste it. Here’s what went down — and more importantly, how I finally hacked my way out of the Meta madness.
Welcome to Bureaucracy Hell
It all started when we submitted our app for review with the required permissions and a screencast. Nothing fancy. Then we received the first of many messages from the Meta review team:
“We have determined that the submitted use case and screencast are valid. However, we are unable to utilize the provided Facebook test account because it requires login approval from other devices…”
Oh, no problem, right? Just fix the test account!
Except… Facebook has disabled the ability to create test accounts. 🤡
So what does Meta suggest?
“Please ensure the test account is set up properly.”
The Fake Account Fiasco
Okay, no test account. Plan B? Let’s make a fake account (yes, really — Meta basically told us to do it).
We created a fake Facebook account, sent them the login credentials… only to get this:
“Account access denied due to unusual activity.”
Apparently, Facebook saw the login from the Philippines (where the reviewers were located), noticed the account was accessed elsewhere before, and immediately blocked it. 🤦♂️
Then came the next wave of Meta responses. Screencast valid. Then not valid. Then valid again. Same screencast. No changes. Just… different reviewers. Ping-pong. Back and forth. For weeks.
When All Else Fails, Ask Reddit
At this point, I was ready to give up. But then, a ray of light appeared — a Reddit post (shoutout to the legend who wrote this):
“Here’s how I got my app approved — by giving Meta a way to fetch the 2FA code for my dummy Facebook account in real-time.”
Wait what?! 😮
The trick? Give reviewers access to a dummy account, with 2FA enabled, and provide them a web page where they can fetch the latest 2FA code via a custom AWS Lambda function.
Does it work? OH YES.
The Solution
Here’s what we did — and what finally worked:
1. Created a dummy FB account.
2. Enabled 2FA using an authenticator app.
3. Extracted the 2FA secret from the QR code.
4. Created an AWS Lambda function with PyOTP to generate the current OTP.
5. Hooked it up to a simple HTML page hosted on AWS S3.
6. Gave Meta the URL to the page so they could fetch the 2FA code during login.
7. 🎉 THEY GOT IN. THEY REVIEWED.
View detailed instructions here.