
Can Facebook provide postmortems on their iOS SDK crashes? - Austin_Conlon
https://github.com/facebook/facebook-ios-sdk/issues/1385
======
bgdam
It seems Facebook mandates the use of the SDK if apps wish to provide 'Login
with Facebook' functionality. My question is this - Why would any company
include this SDK, which is basically spyware into their apps, simply in order
to have a slightly easier login flow? Is implementing a user authentication
system really so complicated, that you guys think it is okay to give away
control of your users, and even your app's ability to even startup without
crashing, to a third party company over whom you have no control, who has no
obligation to not break your app at their whim?

~~~
zumachase
> Why would any company include this SDK > Is implementing a user
> authentication system really so complicated

"Login with Facebook" isn't popular because it saves developer time. It's
popular because it massively reduces signup friction which results in higher
conversion rates. These things are super important. We offer Google login with
our only consumer facing app[1] and we see a solid 40% of accounts use that
method vs. email. I would venture a guess that a sizable minority, bordering
on majority, of those accounts would simply never sign up in the first place
without some sort of SSO.

I agree with your sentiments and frustrations, but whenever something seems to
be too ridiculous to be true (as this might seem to some devs) there's often
something else at play.

[1] Squawk - Walkie Talkie for Teams
[https://www.squawk.to](https://www.squawk.to)

~~~
sargun
Personally I use login with Google because: 1\. I “trust” google auth - I know
they won’t store passwords in plaintext or anything funny like that 2\. It’s a
centralized place I can use to rotate my keys 3\. I can revoke accounts

Signing up via email on each site means a password manager entry at a minimum,
and probably no 2FA, or brute force resistance.

~~~
KiwiJohnno
I never use login with Google, because if one day some automated process
decided to suspend my account then I'd also lose access to all other systems I
was using Google for authentication.

You're basically at the mercy of getting hold of google's nearly nonexistant
support to get this resolved

~~~
pcr0
As a user with a $19/year Google One subscription, I find Google support quite
easy to reach.

~~~
sargun
I also pay $dollars/year for Google. Turns out, when you start paying people
money, and it becomes a legal liability for them to screw up, they
act...better?

I have a one-click button to download all my data from Google (which turns out
to be an absolute pain because it's in the ~100s of GB range).

~~~
ThePowerOfFuet
Yeah, good luck with that button after they've pushed theirs first.

------
ObsoleteNerd
Facebook doesn't care. Apple doesn't care (enough to block/punish Facebook).
These days the only answer is to treat the web like a hostile environment and
protect yourself from malicious companies like Facebook, intent on deploying
spyware and ruining the user experience in exchange for more data to profit
from.

Install a Pi-Hole or similar on your network, block all FB domains. It doesn't
break the web for you, it actually makes it a lot faster/nicer. Blocking
Google is trickier due to core functionality of major sites depending on some
of their services, but you can still block lots of it and still have a totally
normal (improved) experience in your daily browsing.

(Yes, blocking all FB domains on my network stopped the recent FB bugs from
crashing my apps, Spotify/etc worked flawlessly throughout that period, except
when I disabled the Pi-Hole temporarily to see what all the fuss was about)

~~~
dvt
This is so true (and so sad). The web is no longer _everyone 's_ playground.
If you want to play, you play by _Apple 's_ rules, or by _Facebook 's_ rules.
This is a double-edged sword, because it was, after all, _Apple 's_ way that
gave way to the phone app renaissance of the 2010s.

~~~
harry8
Nokia n770 was mostly there. n900 was there. If we'd stuck with that as an
alternative instead of having microsoft kill it all smartphones would be so
much better. A real aternative that didn't suck and treat users as product
really would have slowed if not prevented the ios v android race to the bottom
of user hostility.

Which does one think is worse? Apple or Google? Becuase there's no way either
of those are in any sense "good"

------
kevin_b_er
Considering the SDK is setup to run, and crash, with just being linked in and
not even a single call, FB should be responding.

Their app is clearly phoning home during the self-initialization. For a period
of time it was breaking massively, then suddenly not. That means some orders
from the home server were bad and causing the SDK to crash the app out. All
during a secret self-initialization the developer can't temporarily take out.

~~~
onion2k
_Apple_ should be responding. If a third party library is leading to massively
downgraded performance of user's devices, Apple should be warning developers
that their apps could be rejected if they don't guard against the broken
behaviour.

The fact developers _can 't_ do anything is a good reason not to use the SDK,
not just to accept the problem.

If this continues to happen regularly Apple will start taking measures to stop
the problem - and banning apps is a (very unlikely) possibility.

~~~
kevin_b_er
Apple could ban the hooking trick the SDK uses to run w/o an initialization
call and prevent app updates.

Then either FB fixes their nonsense or developers remove the SDK.

------
swagonomixxx
What I don't understand here is, how did this break apps that had "old" SDK
versions?

Did some HTTP call the initialization code make end up raising an exception on
some unexpected status code and end up crashing the entire application?

I don't understand why this kind of control flow is acceptable. Is it
documented at least? And if it is documented, how come we can't fork this SDK
(seems to be on GitHub, seems fork-eable) and remove this "feature"?

~~~
geofft
The backtrace in [https://github.com/facebook/facebook-ios-
sdk/issues/1374](https://github.com/facebook/facebook-ios-sdk/issues/1374)
makes it sound like they passed a nil pointer to NSOrderedSet's initWithSet
method, from inside FBSDKServerConfigurationManager's
processLoadRequestResponse method. That makes it sound like a new version of
the data provided by the server didn't have some field that old versions of
the SDK expected, and the old code didn't catch that exception.

~~~
saagarjha
(That’s the old crash.)

------
tannhaeuser
A couple years ago, after a long-winded process seeing it's inventor drop out
of the process in frustration, Open ID Connect was poised to become the
portable authentification/identity mechanism of choice for logging in using
Fb's, Google's, and other provider's (Apple's/icloud's?) user base. I still
don't fully understand what has happened to the few interworking initiatives
that were created in the 2010s compared to the 2000s. I mean, using Fb and
Google as identity provider has maybe its own set of issues, but the
expectations we had towards tech were markedly different in that proprietary
protocols were universally rejected.

~~~
judge2020
Probably a business decision. Pushing devs to use the full SDK is going to
ease them into using other products provided by the SDK, such as easy
remarketing/ROI tracking when using the company's ad platform.

------
exikyut
Question.

In [https://github.com/facebook/facebook-ios-
sdk/issues/1373#iss...](https://github.com/facebook/facebook-ios-
sdk/issues/1373#issuecomment-625092730), it's noted that FBSDK starts the in
the `+load` method. I understand that's what's causing the crashes.

In [https://github.com/facebook/facebook-ios-
sdk/issues/1427#iss...](https://github.com/facebook/facebook-ios-
sdk/issues/1427#issuecomment-656656106), someone mentions that

    
    
      <key>FacebookAutoInitEnabled</key>
        <false/>
    

disables auto init. Couldn't this potentially eliminate all FBSDK-related
startup/non-interactively-caused crashes?

------
jeffrallen
Not while Github is down, they can't...

------
person_of_color
I’m saddened that an app just completely disappears with no dialog to the user
during an unhandled exception...

