Facebook iOS SDK Remotely Crashing Spotify, TikTok, Pinterest, Winno and More (opens in new tab)

(github.com)

824 pointsMCKapur6y ago356 comments

356 comments

166 comments · 48 top-level

yllus6y ago· 44 in thread

For those wondering why the Facebook SDK is so widely used in popular mobile apps: Facebook Login is actually in the minority of reasons to add the Facebook SDK to your mobile app. The vast majority of apps will add the Facebook SDK because it contains Facebook App Ads; a library that "completes the circle" in terms of finding out how effectively the ads you ran on Facebook were at getting people to download, install and run your mobile app. So really the Facebook SDK is there to collect data of that advertisement being effective and provides both Facebook and the mobile app developer with knowledge of how their ad spend went.

Is that "spyware"? Some would call it merely wanting to know if your marketing budget was wisely spent - I suppose a lot depends on what data it collects on people.

More info: https://developers.facebook.com/docs/app-ads

Waterluvian6y ago

Don't mind me. I'm just going to come into your house and record what commercials you are watching. I'm not spyware I'm just _merely_ wanting to know about my marketing budget.

Analogy may not be perfect but it takes serious mental gymnastics to fail to see this as spyware, in my opinion.

bitcrazy6y ago

It wouldn't be surprising if some Smart TVs are already doing this.

5 more replies

hedora6y ago

Don’t forget that you’re picking which houses to invade based on gender, age, etc.

Totally not creepy.

blackoil6y ago

Isn't that how the TRP is calculated. IIRC agencies install devices in random houses to find which program is being watched.

2 more replies

drdrey6y ago

How does the Facebook SDK in a 3rd party app correlate that you're the same user if you don't log into the app with FB? Is there some universal device identifier all your apps have access to?

simonbr6y ago

There was a static universal device identifier until iOS 6. Even today, while Apple has implemented many sensible restrictions on tracking, there's still a ton of information that can be used for device fingerprinting freely available to all apps. This blog post [0] pegs the amount of useful information at around 56 bits.

[0]: https://nshipster.com/device-identifiers/#fingerprinting-in-...

Nextgrid6y ago

The IP addresses (both WiFi and mobile), device make/model, carrier and locale can be combined into a fairly unique fingerprint, narrowing it down even more over time since the SDK phones home every time the app is opened.

Jarwain6y ago

There's an "advertising id" that's assigned to your phone, accessible by apps you install. This ID can be reset by the user, but only if they are aware of it.

1 more reply

mcintyre19946y ago

Do you know how common it is to use the Facebook SDK for app analytics even from outside the Facebook ads ecosystem? I can’t remember exactly where I got this from but I was under the impression that it was pretty widely used for general analytics in the same way that loads of sites use Google Analytics without being in their ads ecosystem.

sfifs6y ago

One important distinction that often gets lost in these conversations is the difference between "linking" and "de-anonymization". In general, the bigger players in the analytics space are extremely careful about avoiding any risk of de-anonymization both contractually and in process. Salted hashes and minimum base sizes to report out are the norm. Some funkier approaches seem to be in R&D. There are of course bad players in the fringes but the big players have largely cleaned up their act.

coldcode6y ago

Thankfully we removed FB several years ago when I found it sending data to FB servers that we did not authorize, we support our own logins for our own customers and there was no reason to use it (not sure the history before I got here). Sadly we do use Google Maps and got bit for weeks when that fiasco happened recently. I wish we could just use Apple Maps for iOS but somehow we have some marketing deal or something with Google.

sbmthakur6y ago

Many apps on my Android device routinely send requests to edge-star-.facebook.com even when I don't use facebook login. Are these ad related requests?

Nextgrid6y ago

That’s most likely the Facebook SDK we’re talking about. The SDK phones home regularly regardless of whether it’s features are actually being used.

cpv6y ago

You can get NetGuard on Android and see how often and what is called (facebook.com, graph.facebook.com, other vendors, platforms, IPs, etc). You can choose to block what is not needed. Kind of uBlockOrigin for Android. Sometimes stuff breaks.

And a lot of stuff is not related to FB Login.

Facebook launched Facebook Off Activity a while ago https://news.ycombinator.com/item?id=22178917

You can go to your profile, and check which third parties, or advertisers uploaded contact data of you, download backup data to see in json files which apps what sent about you ("App activated", "Made some purchase").

mrspeaker6y ago

If you squint then the Venn diagram of "spyware" and "knowing if your marketing budget was wisely spent" is a circle.

jagged-chisel6y ago

No need to squint, just cross your eyes ever-so-slightly

sneak6y ago

It’s spyware when the user is unaware of it and their usage data is used without their consent.

If the parties consent to it, it’s fine. When it’s hidden and nonconsensual is where the problem arises.

monadic26y ago

> Is that "spyware"?

This seems like much less of a damning claim than openly supporting an ad network.

arrty886y ago

Can’t you just use a simple tracking pixel?

Nicksil6y ago

>Is that "spyware"?

Yes, absolutely.

It uses energy and bandwidth I paid for to surreptitiously transmit my information for use which will solely benefit Facebook and the software developer.

marmada6y ago

I feel like I'm in the minority here -- but I don't understand the problem.

Software developers want to know whether their existing marketing methods are effective. The FB SDK helps with this. You always have the choice to not install the app (if you don't want to).

This also helps developers make sure their marketing is effective and reaching the right people, which seems like a win-win to me.

11 more replies

ignoramous6y ago

> Is that "spyware"?

>> Yes, absolutely.

Much much worse: https://news.ycombinator.com/item?id=19595478

mayank6y ago

In that sense, any sort of client-originated telemetry is spyware. And there’s an awful lot of that, starting with ICMP.

1 more reply

bzb36y ago

If the software developer didn't get anything off you they wouldn't make the software available to you in the first place.

6 more replies

cjhopman6y ago

That definition is rather too broad. It makes basically everything spyware which dilutes the word too much to be useful.

3 more replies

opportune6y ago

Devil's advocate: you could always not run those apps. Although for non-technical users it would be challenging to determine if the apps were transmitting that info, it's possible for technical users to detect it (assuming the info goes to an obviously-facebook url and isn't piped through e.g. spotify)

Additionally I don't think there is anything wrong with client-side analytics in general since it's basically the only way to monitor performance/usage in production. And this type of thing is hard to discern from the more benign case

4 more replies

nine_k6y ago

I can see a difference between paid and free-to-play apps.

If I pay for the service, I can expect that the service is taking nothing more from me than the payments I make. Our contract is explicit.

If it's a free-as-in-beer service, then the user must realize that the business which is offering the service expects to get something for its purposes from the user, such as user's eyeballs and user's computing resources.

jquave6y ago

If it benefits the software developer and this is what allows their business to work, then that benefits you. If it didn't then you wouldn't have the app.

sunsetMurk6y ago

> will solely benefit Facebook and the software developer.

I mostly agree. But, in some(most) also the user by encouraging the developer to release updates and launch new features.

1 more reply

dan156y ago

Do you feel the same about Google Analytics? Its data collection is very similar.

skrebbel6y ago

> Yes, absolutely.

I support you in your courageous fight against nuance.

blackflame70006y ago

And you since you installed the app for some purpose.

api6y ago

That is the entire business model of mobile.

1 more reply

anon1020106y ago

There are other ways to target / close the circle. App developers can share emails of new installs with facebook for cross match and more options. Would this feel better?

1 more reply

alharith6y ago

So do you argue then that looking at highway banner ads caused you to deplete your glucose stores in your cells derived from the food you paid for?

baddox6y ago

It's difficult to argue about whether it's "surreptitious." It's certainly no secret. I think this is why you need organizations (perhaps government or otherwise) to establish standards for what is and isn't acceptable, so we don't have to quibble over words like "surreptitiously."

3 more replies

yashdeeph7096y ago

> Is that "spyware"? No You know its being used then you install the app. You have a choice. Either don't use Spotify and go to some shitty open source music app or give your data.

w-j-w6y ago

Why on Earth is it the advertiser's perspective that decides what is spyware. This is a consumer rights issue. As a user, I don't care what the intentions of the spying are.

Nextgrid6y ago

This is also not GDPR compliant, not that anyone actually bothers to enforce the law.

If we respect the GDPR then data sharing for Facebook Login should only happen once the user presses the Facebook login button (as at that point the data sharing becomes essential to provide the functionality).

As far as ad/marketing attribution it should be opt-in as that is not an essential requirement to provide the service (and even less so for paid apps).

In both cases the SDK breaches the GDPR as it calls out every time it's loaded and upon first launch it will "register" itself with Facebook by submitting device information (make/model, carrier name, locale, timezone, etc) and obtain a unique ID which is then used in subsequent requests, providing Facebook with a trail of your whereabouts and usage patterns based on IP addresses you connect from (which they can then correlate with any other information they have).

yllus6y ago

Re: Ad/marketing attribution, that's not necessary correct. If the data point that gets sent back to Facebook is a GUID type string that matches the GUID that got generated when you first clicked the Facebook ad for the app and doesn't include data about you specifically, I believe that's fine. I don't myself have up-to-date information what data Facebook receives via its SDK but I suspect it is GPDR compliant through such methods.

GPDR specifically allows for anonymized/aggregated data on app usage or marketing feedback: https://gdpr.eu/eu-gdpr-personal-data/

2 more replies

lucasar6y ago

That is definitely not the case for the ~10 relevant apps I have worked on.

_jal6y ago

I'm not interested in arguing definitions. I look at what apps on my phone do, and delete anything that wants to talk to the surveillance shops.

It is that simple - I don't trust or use FB, and of course that includes third party FB feeders.

trevor-e6y ago

Genuinely curious here, which apps have you kept and use daily? The number of monetized apps that don't talk to Google/FB (or other install trackers) is likely in a very small minority.

1 more reply

johnymontana6y ago

How do you monitor this?

3 more replies

fooey6y ago· 19 in thread

Seems to be some suggestions now that apps were continuing to crash even after commenting out the FB implementation because FB is managing to do remote API calls just because the framework is linked.

https://github.com/facebook/facebook-ios-sdk/issues/1373#iss...

> It does not matter. Their libraries are dynamic, and they abuse +load functions for classes with some business logic calls. So, +load will be called anyway on the application launch when dyld loads all linked frameworks.

and

> I really don't understand why it is still crashing when we turn it off? Could you please explain, why there is a remote connection even we comment out the implementation? Linking binary framework just enough to break things down, why? What do you do in background? Sending or receiving some data even it's not been initialized?

0x06y ago

I'm shocked but perhaps not surprised at many of the comments in that thread. These people are app developers who voluntarily link in huge multimegabyte binary-only third party sdks, and then act surprised that the code they are linking is prone to crashing? It should be obvious that any bug in such an SDK might bring down any app, even on launch and even if your own code never makes an explicit call to the SDK.

Third party SDKs have free reign in your apps. They can launch background threads, intercept and log any and all UI interaction and UI widget/input field values, and call home. All of this without you ever calling a single method explicitly.

It gives the SDK developers a foothold inside each app's sandbox/keychain/developer-specific app ID. It must be a gold mine for correlating and tracking users across apps and websites, breaking down the intended barrier between different apple developer team IDs and app containers.

Last time I checked one of these binary SDKs along the likes of FB, Gmaps, etc just running strings on the binary framework lib was enough to send chills down any developer's spine.

ChrisMarshallNY6y ago

We are now in a “dependency-oriented programming environment” (D.O.P.E) world.

One the one hand, it’s easy to sniff at the use of dependencies, when we have these kinds of disasters, but on the other hand, dependencies give us the ability to do truly great stuff.

For example, I program Apple devices (not just iOS). I wrote my first Apple code in 1986, so I have some “prior art.” I’ve “seen it all.”

I remember the days of MPW and MacApp, which spent most of its life in beta (Photoshop was initially based on MacApp 1.0b9, when it was first released).

Writing a full GUI experience was hard. It could take weeks to get a fairly basic app up and going.

Nowadays, with the various flavors of the Cocoa Application Framework, I can have a fairly full-featured app up in just a couple of hours.

Cocoa (and its implementation SDKs, like UIKit) is a dependency.

That said, I like to avoid dependencies wherever possible, relying on real “core” dependencies, like OS infrastructure.

It’s just that I can’t justify building my own power plant, when I can simply pay for a hookup from the pole.

There’s a good reason for the current DOPE.

Many corporations are using DOPE to “embrace and extend,” to an extent that makes Microsoft’s antics in the oughties look like child’s play.

When we use an SDK as the basis of our apps, we are giving them a huge amount of trust. They have access to everything our app can reach, which is often a lot. It also means that we may not have anyone on staff that actually knows what’s going on, under the hood, as we rely on the dependency to do most of the heavy lifting.

Apple’s App Store approval process is a pain, but this is the kind of thing they try to avoid. There’s just no way they can account for everything, and some corporations are getting very good at the whole “camel’s nose” thing.

I think that the “Wild West” nature of DOPE will shake itself out, sooner or later, with a few solid, trusted SDKs rising from the ashes.

There’s just gonna be a lot of collateral damage, on the way.

One of the worst things, is to build on a dependency, then have it collapse (or corrupt) down the road. That can be devastating.

BTW: I use the acronym “DOPE” for a reason.

The spice must flow...

1 more reply

steerablesafe6y ago

Also arguing about phoning home in a constructor versus some init() function misses the point. Why would you dynamically link to an SDK that you don't initialize?

nirui6y ago

> They can launch background threads, intercept and log any and all UI interaction and UI widget/input field values, and call home. All of this without you ever calling a single method explicitly.

Unrelated to Facebook, but some malicious SDK already doing it. For example, Igexin(https://blog.lookout.com/igexin-malicious-sdk), and it's not the only one.

Be careful when importing anything.

marcus_holmes6y ago

Every time we include a dependency in an application, we give its maintainers commit privileges to production. Who do we trust?

2 more replies

microcolonel6y ago

Turns out if you're linking in code (or even calling out to it, but that's another level of effort) you should probably have the source, or have a person on your team who can do basic RE.

interskh6y ago

I think there are two main reasons to include fb sdk - fb login - fb ads

It is not any arbitrary sdk, it is fb, probably one of the essential sdk nowadays.

1 more reply

saagarjha6y ago

(For the iOS engineers reading along: please don't put network calls in +load, or __attribute__((constructor)), or a C++ static variable, or whatever other clever way you think you can get code execution before main.)

red_admiral6y ago

For the iOS developers reading along: please ban this behaviour in a future version?

1 more reply

kccqzy6y ago

Not just network calls, but also the file system, or basically anything nontrivial.

C++ static variables can now be annotated with constinit to resolve issues like this: https://en.cppreference.com/w/cpp/language/constinit It basically asks the compiler to enforce that constructor calls can only do trivial things.

favorited6y ago

Even better: don't override +load or use static constructors!

1 more reply

rohansuri6y ago

(non C++ developer here) What is the +load being referred?

1 more reply

vvG94KbDUtRa6y ago

Spoken like someone who has never tried to optimize startup time. If network is your blocker, you need to do it as soon as possible

3 more replies

red_admiral6y ago

The next evolution of "every app in a sandbox" must surely be custom sandboxes for individual libraries within apps. The main app could selectively delegate permissions of its own (like network, camera) to the libraries, for example after obtaining user consent.

dgoldstein06y ago

I don't quite see how this would evolve?

Some logical consequences of this outage:

* Apple may ask, "what is this SDK doing and why can't it be done with IPC"?

* Other app developers may start thinking harder about the risks of SDKs and ask "why do I need this and how can I not take the reliability / security risks of code I haven't reviewed"?

* an unlikely, but not impossible outcome, is that people start looking at letting processes drop capabilities, maybe even forking SDK code into it's own subprocesses. But... why not just make the SDK ship as a separate process as part of a different app at that point? Linux I know has tons of capabilities available, yet security engineers often complain about tons of apps just not even trying to use them. So I'm skeptical anything major will change here.

But there's probably never going to be anything to guarantee that developers don't submit 3rd party code as part of their apps, effectively pretended it's their own. And as long as Apple can't tell SDK code from your original code, how can they do anything about it?

I suppose they could look at popular SDKs and make some sort of bytecode signatures of them, but that mostly just serves to figure out which apps use which SDKs, which might be useful for review or malware detection, but it's unlikely to have the fidelity to actually enforce stronger error boundaries or security boundaries.

bitcrazy6y ago

The Facebook SDK does make some calls on init.

https://developers.facebook.com/docs/app-events/gdpr-complia...

From them: "The Facebook SDK automatically initializes when the app is opened. When the SDK is initializing, it fetches app settings from Facebook. If you want to block all network requests to Facebook, you can disable automatic initialization." If you want to turn it off, you're supposed to set in your app's plist <key>FacebookAutoInitEnabled</key><false/>.

If people are claiming that the SDK is still fetching despite adding that key, that could be breaking some compliance and consent laws...

gtufano6y ago

I would be shocked...

mschuster916y ago

> If people are claiming that the SDK is still fetching despite adding that key, that could be breaking some compliance and consent laws...

It is still a violation of GDPR as I as the user never have the chance to consent (or not consent!) to any data transfer to Facebook. But as no one seems to be willing to go after FB... sigh.

2 more replies

krzat6y ago

All of this because app developers can't be bothered to add one line of code...

1 more reply

surferbayarea6y ago· 11 in thread

Why is facebook spyware part of Spotify. I signed up to Spotify via email not facebook login.

MCKapurOP6y ago

i mean, they offer FB sign in in the app, so the FB SDK is bundled with the app binary. looks like the mere presence of the library is causing crashes. someone on a related GH thread noted they commented out the code invoking the FB SDK but the issue remained.

surferbayarea6y ago

Yeah these SDKs are siphoning off data without authorization like your location, songs you listen to and who knows what else (eg other processes or apps running on your phone). Eg the latest iOS exploit allows any app to get access to all SMS data. Tech companies of today trample upon individual privacy openly. Amazing!

1 more reply

Lammy6y ago

Yes, requiring the SDK to implement Facebook Login is the decision that's being criticized. Facebook encourages SDK usage obviously for the data collection it enables, but even they provide an OAuth-only login flow that doesn't require the SDK at all: https://developers.facebook.com/docs/facebook-login/manually...

aconley3146y ago

Then if this can be fixed by a server side change as suggested below, that's worrisome, since it suggests it is communicating with FB even if you don't invoke it.

1 more reply

riazrizvi6y ago

Spotify is a web app, that is wrapped into clients on different platforms. The app is constantly pinging googletagservices.com, edgesuite.net, fbcdn.net, fbsbx.com, google.com, googlesyndication.com and doubleclick.net, however you are using the app. It doesn't matter if you only listen to one, unshared, downloaded playlist. Constant tracking.

1 more reply

floatingatoll6y ago

Facebook chose to make Facebook Login spyware, and Spotify didn't think anyone would mind when they did, because who cares about tracking? and/or wasn't aware, because who could realize this from the unclear Facebook docs? (Either is possible!)

That was a very pre-2019 decision, and now that Facebook just set the world on fire, we're probably going to see a lot fewer Login with Facebook.

Nextgrid6y ago

The ironic thing is that you can actually implement Facebook login in a privacy-respectful manner by using standard oAuth where Facebook is only contacted when the user decides to log in with it (which is mostly fine as they have an account anyway and thus consent to Facebook tracking).

1 more reply

three_seagrass6y ago

They had some big partnership deal about 8 years ago which involved some low level integration. It also gave Spotify access to more Facebook user information than what was originally authorized, like letting Spotify read users' FB messages.

I remember being grandfathered into not having it and Spotify would ask me every time I logged in to integrate my FB account.

harryf6y ago

It’s part of most apps you use on your phone - Facebook is great for app download campaigns and adding the SDK means end to end visibility on marketing. So “everyone” is using it.

In an abstract sense this is similar to how Facebook (ab)used the like button on 3rd party sites to track anyone using that site. Only it’s much worse because with an app SDK they have access to much more sensitive data.

tinus_hn6y ago

Would you expect a separate app for people who login using Facebook and people who login without?

Nextgrid6y ago

You can implement Facebook login server-side with basic oAuth. No requests to Facebook are necessary until the user actually wants to log in with Facebook.

1 more reply

ExactActuation6y ago· 9 in thread

But all of the engineers passed LeetCode, how could this be?

ignoramous6y ago

Facebook engineering generally is super competent. Leet code or not, such slip ups are bound to happen from time to time. True test of competence would be these mistakes don't repeat and that they learn from it, which I'm pretty sure they would.

SwiftyBug6y ago

Exactly. OP makes it harder on everyone expecting engineers to be flawless just because they've gone through a very selective hiring process. Programming is hard.

1 more reply

akmarinov6y ago

That’s not a slip up on their end, it’s a feature to enable them to collect stuff even if you don’t use their code.

5cott06y ago

So you're saying we can be confident they won't break democracy again?

2 more replies

Lammy6y ago

> True test of competence would be these mistakes don't repeat and that they learn from it

It's not that they aren't smart or don't learn but that FB's performance review process rewards optimizing for growth over reliability/sustainability.

e: you can downvote me but I lived it so you won't change my mind :)

mlthoughts20186y ago

> “ True test of competence would be these mistakes don't repeat and that they learn from it, which I'm pretty sure they would.”

Which begs the question why test engineers with leetcode trivia bullshit. You are yourself emphasizing why their interview process (and they are just one of many offenders) is so bananas inappropriate.

1 more reply

5cott06y ago

LeetCode easy

himaraya6y ago

Questions went stale

empath756y ago

If only they knew how to balance a binary search tree.

sreekotay6y ago· 6 in thread

Unpopular opinion: bugs happen. Be bold.

ksml6y ago

What's "be bold" supposed to mean?

saagarjha6y ago

Break every application that links your SDK, of course.

shaggyfrog6y ago

git force push, and damn the torpedoes

vvG94KbDUtRa6y ago

remove the headphone jack of course

codezero6y ago

This should not be the case for a library developer. If you accept the consequences for your app, that's fine, but you shouldn't be expected to accept the consequences of a library developer being careless.

sbmthakur6y ago

That's true. But other apps crashing due to it is much worse. Facebook would be bold if theu opens address the issue.

lancefisher6y ago· 4 in thread

We found a couple workarounds while Facebook was busy fixing this.

Option 2 could be helpful if you want to block it for privacy reasons.

Nextgrid6y ago

Does the adult filter work in apps? If so this seems like a lovely workaround for the lack of firewall.

lancefisher6y ago

It worked to fix this, so I’m assuming so.

1 more reply

govg6y ago

The adult filter probably works like a DNS bkackhole and simply bans those websites from getting resolved.

beagle36y ago

I added YouTube.com under the restricted sites (not specifically as an adult site, just restricted) and it did stop my kids from going there directly, but they figured out that they can Shazam a song, use its “show song on Youtube” feature to get a fully functioning YouTube page and start working from there.

They can’t even read yet.

I am at the same time very proud at the l33t hacking skills and upset at their disregard for rules. But mostly proud.

I will check if “adult” blocking works better.

g_p6y ago· 4 in thread

Perhaps this outage will raise awarenesses more broadly as to the prevalence of "non essential" third party SDKs like these, and the risk that their failure can significantly impact on the wider ecosystem.

I can't imagine Apple will be all too pleased by this. Perhaps time for them to look at clamping down on SDKs that make remote network requests? (Given they have their own private sign in system now as well, they might even have a secondary incentive)

dylan6046y ago

Not likely. FB has made it too easy, and developers are lazy. For the marketing/sales/PR types of the company that made the app, the info the SDK returns is exactly the type of information they want/need. At the end of the day, the "morality" of a developer will always come second to the sales/marketing/PR people. After all, you're just a developer, and there's a line a mile long of people waiting to replace you.

akmarinov6y ago

Yes, please.

Firebase should be next, requiring you to include a whole bunch of Firebase lib crap just to use Crashlytics.

munsters6y ago

At the very least, this might spawn some discussion around being able to remotely enable/disable SDKs, from a server that you control. Last week it was Google Maps, today Facebook SDK...

rimliu6y ago

From June 30th, 2020:

"Apps that authenticate or set up user accounts must support Sign in with Apple if required by guideline 4.8 of the App Store Review Guidelines."

whatthesmack6y ago· 4 in thread

We have a few thousand apps on the App Store and got bit by this today.

The SDK is very useful for a smooth login experience if the user has the Facebook app installed, because your app can offer Facebook as a login option, then just pop the user over to the Facebook app, they can tap “okay” (or whatever), and jump back to your app.

That said, we’re going to rip this thing out of our apps ASAP. No framework should be calling network code in “+load”. The convenience for the user (and the dirty tracking Facebook apparently does) is just not worth the trade-off of handing our app’s stability over to Facebook.

jeffbee6y ago

How can one developer have thousands of apps? It sounds just like a giant scattergun for malware. There are not 1000 distinct useful ways to use an iPhone.

RandallBrown6y ago

A consulting company or a company that makes "white label" apps like for restaurants or stores.

1 more reply

munsters6y ago

They probably do contract app development, with 1000s of clients

s_dev6y ago

>There are not 1000 distinct useful ways to use an iPhone.

This comment reflects badly on your imagination. There are 00s of uses for a concrete brick -- let alone a single device with a plethora of distinct functions.

firloop6y ago· 3 in thread

I block all Facebook domains with the NextDNS iOS app — didn't seem to be affected by this. Blocking spyware has its perks.

notRobot6y ago

Ditto!

    facebook.com
    fbcdn.com
    fbcdn.net
    fbsbx.com
    fb.com
    instagram.com

(^ These won't break WhatsApp)

NextDNS automatically blocks subdomains.

More info here: https://qz.com/1234502/how-to-block-facebook-all-the-urls-yo...

elliekelly6y ago

Same here and I’ve always been a bit skeptical about how well it actually works but I’m pleasantly surprised by the results of this impromptu test!

wp3816406y ago

I wish there were an easy way to deploy rpi to people I know much in the same way it's easy to tell them to install uBlock Origin

saagarjha6y ago· 2 in thread

From the crash log, it looks like the server response it's getting back is missing a field that the SDK wants. Facebook should be able to fix this on their end?

Edit: from the issue it looks like they've done something, but people are still reporting crashes…

Matthias2476y ago

The description is definitely weird. Any server change change should never crash an app, which should have proper validation for all data that it receives.

Thereby the mitigation "to update something on the server that takes time to propagate" also sounds wrong more like a rollback/mitigation than a fix of the actual issue.

MCKapurOP6y ago

it will probably take time to propagate (edit: though i didn't expect this much time, still crashing!)

bschwindHN6y ago· 2 in thread

Hi everyone,

Please use the oauth-only version for login and strip the facebook SDK garbage from your apps. It seems it's not worth the trouble.

drawkbox6y ago

The Facebook SDK is a single point of failure it seems.

If you must integrate Facebook, it is better to use OAuth + API and then control every call, only necessary ones needed i.e. login, friends, maybe game leaderboards, profile photo, etc.

Not sure why people are still putting the Facebook SDK in their apps, it is basically malware and tracking for authoritarian ends [1][2].

Engineers are supposed to be anti-authoritarians.

Engineers are supposed to be into decentralization and distributed systems, and not have single points of failure like libs with hard crashes that inject network calls that don't fail gracefully before your app can even launch.

[1] https://www.nytimes.com/2017/11/05/world/yuri-milner-faceboo...

[2] https://www.theguardian.com/news/2017/nov/05/russia-funded-f...

busymom06y ago

> Engineers are supposed to be anti-authoritarians

Strongly disagree on this. Exact opposite maybe but I don't want to generalize. Modern authoritarian tactics are pretty much impossible without engineering.

1 more reply

user9826y ago· 2 in thread

Zoom dodged this bullet.

ilikehurdles6y ago

And got so much flak for it. How much "zomg you're spying on me" press are the other 50% of the iOS ecosystem going to receive for doing the same thing Zoom did, going on a decade.

Nextgrid6y ago

Just because others are doing it doesn't make it okay.

vmception6y ago· 2 in thread

Hm my whatsapp crashed midcall today, wonder if they use the Facebook SDK or something else

alex-wallish6y ago

Given that whatsapp is owned by facebook, that seems very likely.

vmception6y ago

that's exactly why I was wondering if they use something else, a better internal shared library for accessing facebook services

a-wu6y ago· 1 in thread

I hope that this incident and the Zoom incident will motivate app developers to remove the Facebook SDK when possible.

GrinningFool6y ago

In most cases, it's not really up to the app developers.

cpv6y ago· 1 in thread

Maybe this will motivate product owners, developers, marketers, to start thinking before implementing a dozen of SDKs in a mobile app (or website). It's understandable when you need some analytics/crash reporting, but it becomes a privacy and ethics question when a lot of data is wandering around, and even better, crashes your app. And the users will blame you, they don't even know how many SDKs are there and what they are doing.

sakarisson6y ago

> And the users will blame you

Rightfully so. If you add an SDK to you app, it's your fault if the SDK causes your app to crash.

ohleg6y ago· 1 in thread

Is there a postmortem available on this? Perhaps I missed it in the sea of comments.

seumars6y ago

I've always wondered how the word postmortem found its way into tech. Are we calling code reviews autopsies now?

floatingatoll6y ago· 1 in thread

18 minutes ago:

> Server side change is already reverted. The crash will vanish.

jfim6y ago

> Still crashing 30 minutes after your revert. Are you sure you reverted the right thing?

lennykhazan6y ago· 1 in thread

guess we're back to "move fast and break things"

Austin_Conlon6y ago

Move slowly with unstable infra.

wicket6y ago· 1 in thread

Is this a library or an SDK? Why on earth would you install an SDK on an end-user's phone?

jannes6y ago

The SDK contains the library. I guess in app developer circles these terms are conflated.

MCKapurOP6y ago

Also: Tinder, Venmo, GrubHub (think of the botched deliveries heh), and more. An ongoing list here: https://twitter.com/aburninghilll/status/1258169688959352832

Also see: https://github.com/facebook/facebook-ios-sdk/issues/1373

felubra6y ago

This comment made my day LOL https://github.com/facebook/facebook-ios-sdk/issues/1374#iss...

aboringusername6y ago

I really think the use of remote, undocumented and unknown code just needs to end. Including the SDK which can make changes invisibly should never be an acceptable practice.

And it's why I am weary of installing apps in general. Tip: use f-droid, check privacy exodus and stick to the browser where possible, where you can have much greater control, and not be spied on by FB.

yumraj6y ago

Is there a comprehensive list of applications that have the FB SDK in them so that I can decide to not install those?

Does Apple use FB SDK in their apps? I think not, but can someone confirm?

veeti6y ago

Same thing happened with Google Maps SDK just a few weeks ago.

https://www.reddit.com/r/androiddev/comments/g6t8fu/google_m...

jasonlingx6y ago

> This is insane, half of the apps on my phone aren't launching!

> Please move slower and break fewer things. Thank you.

tomduncalf6y ago

A similar thing happened with Google Maps recently: https://twitter.com/GergelyOrosz/status/1253608276660551680

Not sure what the lesson is, other than that you can’t trust third party code, even if it’s written by the worlds largest companies!

asquabventured6y ago

Waze, a company owned by Google was also broken and force crashing over and over again for a few hours.

Whenever I hear of some Facebook offering all I think of is when you dance with the devil, you shouldn't be surprised when you get burned.

trustfundbaby6y ago

Wow. At almost exactly the time that report was filed ... about 30-40 Minutes, my spotify ios app started crashing. I was listening to a song on my desktop, and wanted to share it on my instagram so I went to the app to do it. everytime I opened up the app it would crash immediately, I restarted my phone, tried it again, and it was fine for about 5 seconds and then crash ... crash ... crash ...

I filed a report with Spotify and by the time they got back to me, the problem had gone away ... I thought it was very odd, until I read this post ...

I guess now I know what happened.

brenden26y ago

This is one of several reasons why I refuse to install apps unless I absolutely must. You have no way of knowing what kind of spyware is bundled with them, and there's no way to block it (like you can in a proper browser with uBlock Origin).

pkage6y ago

Looks like it's back to normal (ish) now. I'm curious as to what kind of testing they have that this wasn't caught by a test suite though--login integration seems like an incredibly important thing to not break.

bvandewalle6y ago

Is there a list somewhere of all the apps importing the spyware Facebook SDK?

manigandham6y ago

For all the privacy stuff that Apple does on Safari, it does absolutely nothing against the tracking issues in the mobile app ecosystem.

The unspoken rule is because apps make money for Apple and websites don't.

gwittel6y ago

Ouch. Not knowing how the iOS apps are written, two questions come to mind:

1) Why wasn’t the SDK written to tolerate bad data and fail gracefully?

2) Could clients integrating the SDK be written to tolerate failures like this?

addicted2Code6y ago

I had to remove the SDK a few months ago due to it causing crashes. If I remember correctly they injected some code into didSelectRowAtIndexPath for table / collection views...Looks like its fixed now but I definitely won't be adding it back, https://github.com/facebook/facebook-ios-sdk/issues/1318

fxtentacle6y ago

How to gain market share? Release a breaking server-side update and "forget" to inform other vendors in time so that their apps crash, while yours do not.

lucasar6y ago

You beat me by a couple of minutes. Dear Facebook: Please move slower and break fewer things. Thank you very much.

joeblau6y ago

This is a good resource to see who is being impacted[1].

[1] - https://downdetector.com

kjgkjhfkjf6y ago

This is a nice demonstration of why exceptions, in particular untyped exceptions, are a major liability.

xenospn6y ago

I had no idea why my app was suddenly crashing multiple times all of a sudden. God fucking damnit.

nickpinkston6y ago

Move fast and break other things

outside12346y ago

Ah that is what is happening!!! Thanks HN. :)

bilifuduo6y ago

Guess Joma was right: https://www.youtube.com/watch?v=rR4n-0KYeKQ

sferik6y ago

At least they moved fast.

anticensor6y ago

This is surely a competition violation, wordly blocking competing products from operating.

lifeAsNerd6y ago

But Apple advertising says we have privacy!

32gbsd6y ago

good

scottmf6y ago

I’m calling it “lefb-pad”

AzzieElbab6y ago

10 to 1 it is going to be about SDKs generated from php with its bizzaire associate arrays.

j / k navigate · click thread line to collapse