Set Field Level security for profile using meta-data api

It does not have to be through the retrieve->deploy process. I got this to work using CRUD metadata api calls. This is the meat of the logic in C#

        Logger.Info("SalesForceProxy.UpdateFieldVisibility invoked. (Profiles: {0}; Fields: {1})", String.Join(", ", profilefullNames), String.Join(", ", fieldfullNames));

        if (String.IsNullOrWhiteSpace(_instanceUrl) || String.IsNullOrWhiteSpace(_accessToken))
        {
            Authenticate();
        }

        var permissionList = fieldfullNames.Select(field => new ProfileFieldLevelSecurity
            {
                field = field,
                editable = true,
                readable = true,
                readableSpecified = true
            }).ToArray();

        Logger.Info("Updating Profile Metadata...");
        var updateRequest = new updateMetadataRequest(
            new SessionHeader() { sessionId = _accessToken },
            new CallOptions(),
            profilefullNames.Select(profileName => new Profile
            {
                fullName = profileName,
                fieldPermissions = permissionList
            }).Cast<Metadata.Metadata>().ToArray());

        RequestObjectCache.Add(updateRequest);
        var updateResponse = MetadataService.updateMetadata(updateRequest);
        var updateSuccessful = true;

        foreach (var result in updateResponse.result.Where(result => !result.success))
        {
            Logger.Error("Metadata Update Failed");
            if (result.errors != null)
            {
                foreach (var errorMsg in result.errors)
                {
                    Logger.Error("Error in Update Metadata (Code: {0} Message: {1})", errorMsg.statusCode,
                        errorMsg.message);
                }
            }
            updateSuccessful = false;
        }
        Logger.Info("SalesForceProxy.UpdateFieldVisibility finished. (Success: {0})", updateSuccessful);

Update

Since this was posted there are now simpler ways to accomplish this. Refer to Greg's answer for specifics.

Original Answer

Yes, it's possible, but it's not particularly easy. Unlike creating fields which you can utilize the "CRUD" based metadata api calls, profiles require using retrieve and deploy calls. This means you'll have to deal with zipping and unzipping the data for the deploy/retrieve calls, constructing the xml for the package manifest to do the retrieve call, and dealing with modifying the resulting xml. I'm not aware of any sample code for this unfortunately.

High Level Steps

1. List out Profiles

You'll need to list out all the profiles that you want to update the field level security for

2. Construct your Project Manifest

Build a package.xml that includes all profiles from step 1, and any fields you want to set the security for. Profiles only include permissions related to the other components in the next step, so you must retrieve them in conjunction with any components you're update the security for.

3. Do a retrieve call and unzip the result

Use your project manifest to do a retrieve call and unzip the resulting zip file.

4. Update the permissions

Update the profile XML with the desired permissions

5. Deploy the changes

Zip everything back up and do a deploy call.