i mean, they offer FB sign in in the app, so the FB SDK is bundled with the app binary. looks like the mere presence of the library is causing crashes. someone on a related GH thread noted they commented out the code invoking the FB SDK but the issue remained.
Yeah these SDKs are siphoning off data without authorization like your location, songs you listen to and who knows what else (eg other processes or apps running on your phone). Eg the latest iOS exploit allows any app to get access to all SMS data.
Tech companies of today trample upon individual privacy openly. Amazing!
i'm by a longshot no facebook fan but... are you sure the SDK can actually siphon out what songs you listen or your location from the app it's sandboxed in (which, BTW, is in its own sandbox from an iOS system POV, and also has its own set of permissions)?
if (restrictiveParams[eventName] as! [String: Any])["test"] != nil
In Swift, now hopefully you wouldn't write this code but it's not entirely unlikely too. In fact the above Objective-C snippet is one of the few cases where Objective-C's forgiving `nil` behaviour doesn't save you from a crash.
Well the reason FB/Foursquare/Google etc add these to 3rd party apps is so they can get data. Example if you visit a website which has a Facebook like button, your browser fetches the js files/which maybe even makes an API call to let FB know your IP (and hence location). All this data is fed to the giant system that feeds you ads.
Adding their SDK to other apps/sites (even if there is no user facing need) is a common strategy used by most big companies to get data. In return the app that puts in the SDK gets $ from the company.
You have no idea what you're talking about. Apps use the Facebook library because a good portion of end-users want to be able to login with a Facebook button --or Google, or whatever that doesn't require them to create a user/password account. It's just that simple.
I think he's talking in general. I worked at Spotify for a while and I can tell you the only reason they have the FB SDK bundled is to provide login.
They dont use FB for any tracking or attribution at all, for that they have other frameworks. They are aware of the FB SDK misbehaving in some cases and do take steps to prevent it.
Yes, requiring the SDK to implement Facebook Login is the decision that's being criticized. Facebook encourages SDK usage obviously for the data collection it enables, but even they provide an OAuth-only login flow that doesn't require the SDK at all: https://developers.facebook.com/docs/facebook-login/manually...
Then if this can be fixed by a server side change as suggested below, that's worrisome, since it suggests it is communicating with FB even if you don't invoke it.
the real question though is if the library is not even imported into the main app and just left hanging around, linked, would it still crash? i'd be curious to know
Spotify is a web app, that is wrapped into clients on different platforms. The app is constantly pinging googletagservices.com, edgesuite.net, fbcdn.net, fbsbx.com, google.com, googlesyndication.com and doubleclick.net, however you are using the app. It doesn't matter if you only listen to one, unshared, downloaded playlist. Constant tracking.
Facebook chose to make Facebook Login spyware, and Spotify didn't think anyone would mind when they did, because who cares about tracking? and/or wasn't aware, because who could realize this from the unclear Facebook docs? (Either is possible!)
That was a very pre-2019 decision, and now that Facebook just set the world on fire, we're probably going to see a lot fewer Login with Facebook.
The ironic thing is that you can actually implement Facebook login in a privacy-respectful manner by using standard oAuth where Facebook is only contacted when the user decides to log in with it (which is mostly fine as they have an account anyway and thus consent to Facebook tracking).
It's likely that apps that load the SDK are using other features of it, such as Facebook Analytics (which is similar to Google Analytics), not just login with Facebook.
They had some big partnership deal about 8 years ago which involved some low level integration. It also gave Spotify access to more Facebook user information than what was originally authorized, like letting Spotify read users' FB messages.
I remember being grandfathered into not having it and Spotify would ask me every time I logged in to integrate my FB account.
It’s part of most apps you use on your phone - Facebook is great for app download campaigns and adding the SDK means end to end visibility on marketing. So “everyone” is using it.
In an abstract sense this is similar to how Facebook (ab)used the like button on 3rd party sites to track anyone using that site. Only it’s much worse because with an app SDK they have access to much more sensitive data.
You can implement Facebook login server-side with basic oAuth. No requests to Facebook are necessary until the user actually wants to log in with Facebook.