[surferbayarea]

Yeah these SDKs are siphoning off data without authorization like your location, songs you listen to and who knows what else (eg other processes or apps running on your phone). Eg the latest iOS exploit allows any app to get access to all SMS data. Tech companies of today trample upon individual privacy openly. Amazing!

[MCKapur]

i'm by a longshot no facebook fan but... are you sure the SDK can actually siphon out what songs you listen or your location from the app it's sandboxed in (which, BTW, is in its own sandbox from an iOS system POV, and also has its own set of permissions)?

[lucasar]

I am an iOS developer and most likely the problem is related to configuration and basic analytics, not "siphoning" app data.

Offending code :

if (restrictiveParams[eventName][@"is_deprecated_event"]) {

        [deprecatedEventSet addObject:eventName];

}

So, the iOS library does not check for nil, and whatever the server is returning does not have the expected content. Lame.

[bryansum]

Looks like that would've probably been caught if it were written in Swift.

[K0nserv]

    if (restrictiveParams[eventName] as! [String: Any])["test"] != nil

In Swift, now hopefully you wouldn't write this code but it's not entirely unlikely too. In fact the above Objective-C snippet is one of the few cases where Objective-C's forgiving `nil` behaviour doesn't save you from a crash.

[surferbayarea]

Well the reason FB/Foursquare/Google etc add these to 3rd party apps is so they can get data. Example if you visit a website which has a Facebook like button, your browser fetches the js files/which maybe even makes an API call to let FB know your IP (and hence location). All this data is fed to the giant system that feeds you ads. Adding their SDK to other apps/sites (even if there is no user facing need) is a common strategy used by most big companies to get data. In return the app that puts in the SDK gets $ from the company.

[traek]

Of the companies you named, Foursquare's business model explicitly revolves around paying apps for user location data and selling it.

I doubt (and at least from my experience around SV, haven't seen) that FB/Google are paying apps to include their SDKs.

[lucasar]

You have no idea what you're talking about. Apps use the Facebook library because a good portion of end-users want to be able to login with a Facebook button --or Google, or whatever that doesn't require them to create a user/password account. It's just that simple.

[surferbayarea]

I have been witness to such business partnerships to embed SDKs to siphon telemetry/other data. The world is not as simple as you think...

[MCKapur]

well, this would be extremely believable

[ratww]

If you only need login, then you can have the same functionality without the Facebook SDK or Google SDK by using OAuth.

[zlorch]

I think he's talking in general. I worked at Spotify for a while and I can tell you the only reason they have the FB SDK bundled is to provide login. They dont use FB for any tracking or attribution at all, for that they have other frameworks. They are aware of the FB SDK misbehaving in some cases and do take steps to prevent it.

[bvandewalle]

you are assuming that the Spotify app is not simply handing that data over. I would not be surprised if there is a financial agreement in place.