
Facebook iOS SDK Remotely Crashing Spotify, TikTok, Pinterest, Winno and More - MCKapur
https://github.com/facebook/facebook-ios-sdk/issues/1374
======
fooey
Seems to be some suggestions now that apps were continuing to crash even after
commenting out the FB implementation because FB is managing to do remote API
calls just because the framework is linked.

[https://github.com/facebook/facebook-ios-
sdk/issues/1373#iss...](https://github.com/facebook/facebook-ios-
sdk/issues/1373#issuecomment-624944045)

> It does not matter. Their libraries are dynamic, and they abuse +load
> functions for classes with some business logic calls. So, +load will be
> called anyway on the application launch when dyld loads all linked
> frameworks.

and

> I really don't understand why it is still crashing when we turn it off?
> Could you please explain, why there is a remote connection even we comment
> out the implementation? Linking binary framework just enough to break things
> down, why? What do you do in background? Sending or receiving some data even
> it's not been initialized?

~~~
0x0
I'm shocked but perhaps not surprised at many of the comments in that thread.
These people are app developers who voluntarily link in huge multimegabyte
binary-only third party sdks, and then act surprised that the code they are
linking is prone to crashing? It should be obvious that any bug in such an SDK
might bring down any app, even on launch and even if your own code never makes
an explicit call to the SDK.

Third party SDKs have free reign in your apps. They can launch background
threads, intercept and log any and all UI interaction and UI widget/input
field values, and call home. All of this without you ever calling a single
method explicitly.

It gives the SDK developers a foothold inside each app's
sandbox/keychain/developer-specific app ID. It must be a gold mine for
correlating and tracking users across apps and websites, breaking down the
intended barrier between different apple developer team IDs and app
containers.

Last time I checked one of these binary SDKs along the likes of FB, Gmaps, etc
just running strings on the binary framework lib was enough to send chills
down any developer's spine.

~~~
marcus_holmes
Every time we include a dependency in an application, we give its maintainers
commit privileges to production. Who do we trust?

~~~
0x0
An open source SDK can at least be audited and locked to a particular version,
with no hidden shenanigans.

------
yllus
For those wondering why the Facebook SDK is so widely used in popular mobile
apps: Facebook Login is actually in the minority of reasons to add the
Facebook SDK to your mobile app. The vast majority of apps will add the
Facebook SDK because it contains Facebook App Ads; a library that "completes
the circle" in terms of finding out how effectively the ads you ran on
Facebook were at getting people to download, install and run your mobile app.
So really the Facebook SDK is there to collect data of that advertisement
being effective and provides both Facebook and the mobile app developer with
knowledge of how their ad spend went.

Is that "spyware"? Some would call it merely wanting to know if your marketing
budget was wisely spent - I suppose a lot depends on what data it collects on
people.

More info: [https://developers.facebook.com/docs/app-
ads](https://developers.facebook.com/docs/app-ads)

~~~
Nicksil
>Is that "spyware"?

Yes, absolutely.

It uses energy and bandwidth I paid for to surreptitiously transmit my
information for use which will solely benefit Facebook and the software
developer.

~~~
marmada
I feel like I'm in the minority here -- but I don't understand the problem.

Software developers want to know whether their existing marketing methods are
effective. The FB SDK helps with this. You always have the choice to not
install the app (if you don't want to).

This also helps developers make sure their marketing is effective and reaching
the right people, which seems like a win-win to me.

~~~
Nicksil
>Software developers want to know whether their existing marketing methods are
effective. The FB SDK helps with this.

As you mention, this is something the _software developer_ want, not
necessarily the _user_.

>You always have the choice to not install the app (if you don't want to).

This argument may have some teeth if directed toward a user in our industry.
Depending on the scope of the particular software in question, the majority of
users is likely to be those outside the software industry; the layman. The
argument falls flat when the other person doesn't have the necessary
understanding to be able to perform thoughtful analysis.

>This also helps developers make sure their marketing is effective and
reaching the right people, which seems like a win-win to me.

That may be one reason this practice is in-use. I don't see how it makes the
difference: the software developer continues these practices with no
consideration of their user, much less the user's consent or indication
anything is going on at all. It's all about what the software developer wants,
not the user and that's not OK.

~~~
geofft
This very same argument would apply to, say, "5% of the price of my dinner
goes towards healthcare for the waitstaff. That's something the company wants,
not something I want."

There are much better argument for it being spyware, e.g., that it spies. It's
not a very strong argument that a thing is bad simply because it helps the
provider of the thing.

~~~
giantDinosaur
I certainly don't want 5% of the price of my dinner going to healthcare costs.
Don't tell me that's something that actually happens where you live?

~~~
paranoidrobot
Is your objection the 5% or that it's going to healthcare costs?

~~~
marcus_holmes
I think the objection is that for most of western civilisation, healthcare
costs are paid for by taxes not employers

~~~
geofft
OK, but those taxes are paid by someone (usually business taxes). I am
strongly in favor of government-funded healthcare but the number of countries
where the government can be funded by, like, drilling oil is very small, so I
think my argument stands - some portion of the money I spend on dinner is
going not towards things that directly produce my dinner but things that
someone else thinks is worthwhile. Even if I agree with it, it's not my
decision.

~~~
giantDinosaur
Structuring something in the interests of what benefits them won't necessarily
align with what benefits you, since the actual structure of the relationship
matters, as brief regard to my flippant comment on your analogy. It isn't
about what % of dinner goes to healthcare - it's (and I was assuming some
hideous employer-pays healthcare system) rather about the system which is
built to align incentives and benefits in certain ways. That is, I stand to
lose in many situations if healthcare is provided directly by the payments of
my customers, or whatever. Likewise, with privacy, it isn't just that 'it
spies', it's that what it purports to aid me in is likely coincidental. Just
like a targeted advertisement actually really benefiting me is effectively
irrelevant to the advertiser - it's just nice if our incentives happen to
align, for one brief moment. :-)

It isn't so nice when they don't.

------
surferbayarea
Why is facebook spyware part of Spotify. I signed up to Spotify via email not
facebook login.

~~~
MCKapur
i mean, they offer FB sign in in the app, so the FB SDK is bundled with the
app binary. looks like the mere presence of the library is causing crashes.
someone on a related GH thread noted they commented out the code invoking the
FB SDK but the issue remained.

~~~
surferbayarea
Yeah these SDKs are siphoning off data without authorization like your
location, songs you listen to and who knows what else (eg other processes or
apps running on your phone). Eg the latest iOS exploit allows any app to get
access to all SMS data. Tech companies of today trample upon individual
privacy openly. Amazing!

~~~
MCKapur
i'm by a longshot no facebook fan but... are you sure the SDK can actually
siphon out what songs you listen or your location from the app it's sandboxed
in (which, BTW, is in its own sandbox from an iOS system POV, and also has its
own set of permissions)?

~~~
surferbayarea
Well the reason FB/Foursquare/Google etc add these to 3rd party apps is so
they can get data. Example if you visit a website which has a Facebook like
button, your browser fetches the js files/which maybe even makes an API call
to let FB know your IP (and hence location). All this data is fed to the giant
system that feeds you ads. Adding their SDK to other apps/sites (even if there
is no user facing need) is a common strategy used by most big companies to get
data. In return the app that puts in the SDK gets $ from the company.

~~~
lucasar
You have no idea what you're talking about. Apps use the Facebook library
because a good portion of end-users want to be able to login with a Facebook
button --or Google, or whatever that doesn't require them to create a
user/password account. It's just that simple.

~~~
surferbayarea
I have been witness to such business partnerships to embed SDKs to siphon
telemetry/other data. The world is not as simple as you think...

~~~
MCKapur
well, this would be extremely believable

------
lancefisher
We found a couple workarounds while Facebook was busy fixing this.

1\. Airplane mode 2\. Block facebook.com as adult content under Settings |
Screen Time | Content Restrictions | Web Content | Limit Adult Websites | Add
a site. 3\. Block facebook.com at your router.

Option 2 could be helpful if you want to block it for privacy reasons.

~~~
Nextgrid
Does the adult filter work in apps? If so this seems like a lovely workaround
for the lack of firewall.

~~~
lancefisher
It worked to fix this, so I’m assuming so.

~~~
iostestadult
I tried adding spotify.com as a limited adult website and I can still use the
Spotify app normally. So either I'm missing something or it can't be used as a
firewall.

~~~
argestes
You might be using their magical p2p network.

~~~
iostestadult
I tried with various app and I can’t break any of them. I’d be really
interested in a firewall for iOS

------
g_p
Perhaps this outage will raise awarenesses more broadly as to the prevalence
of "non essential" third party SDKs like these, and the risk that their
failure can significantly impact on the wider ecosystem.

I can't imagine Apple will be all too pleased by this. Perhaps time for them
to look at clamping down on SDKs that make remote network requests? (Given
they have their own private sign in system now as well, they might even have a
secondary incentive)

~~~
dylan604
Not likely. FB has made it too easy, and developers are lazy. For the
marketing/sales/PR types of the company that made the app, the info the SDK
returns is exactly the type of information they want/need. At the end of the
day, the "morality" of a developer will always come second to the
sales/marketing/PR people. After all, you're just a developer, and there's a
line a mile long of people waiting to replace you.

------
firloop
I block all Facebook domains with the NextDNS iOS app — didn't seem to be
affected by this. Blocking spyware has its perks.

~~~
notRobot
Ditto!

    
    
        facebook.com
        fbcdn.com
        fbcdn.net
        fbsbx.com
        fb.com
        instagram.com
    

(^ These won't break WhatsApp)

NextDNS automatically blocks subdomains.

More info here: [https://qz.com/1234502/how-to-block-facebook-all-the-urls-
yo...](https://qz.com/1234502/how-to-block-facebook-all-the-urls-you-need-to-
block-to-actually-stop-using-facebook/)

------
MCKapur
Also: Tinder, Venmo, GrubHub (think of the botched deliveries heh), and more.
An ongoing list here:
[https://twitter.com/aburninghilll/status/1258169688959352832](https://twitter.com/aburninghilll/status/1258169688959352832)

Also see: [https://github.com/facebook/facebook-ios-
sdk/issues/1373](https://github.com/facebook/facebook-ios-sdk/issues/1373)

------
whatthesmack
We have a few thousand apps on the App Store and got bit by this today.

The SDK is very useful for a smooth login experience if the user has the
Facebook app installed, because your app can offer Facebook as a login option,
then just pop the user over to the Facebook app, they can tap “okay” (or
whatever), and jump back to your app.

That said, we’re going to rip this thing out of our apps ASAP. No framework
should be calling network code in “+load”. The convenience for the user (and
the dirty tracking Facebook apparently does) is just not worth the trade-off
of handing our app’s stability over to Facebook.

~~~
jeffbee
How can one developer have thousands of apps? It sounds just like a giant
scattergun for malware. There are not 1000 distinct useful ways to use an
iPhone.

~~~
RandallBrown
A consulting company or a company that makes "white label" apps like for
restaurants or stores.

~~~
jeffbee
Can we agree that each restaurant having a separate app is one of the dumbest
outcomes imaginable?

~~~
busymom0
That's not how it actually is. Apple actually rejects those type of template
apps. The restaurants use an ad-hoc way of installing the apps. So those apps
are only available to the restaurant for example.

~~~
JimDabell
No, Apple accepts white label applications. Their requirement is that if
you're going to release a white label application, then it should be released
under the customer's own individual Apple developer account rather than having
them all under one developer account.

------
a-wu
I hope that this incident and the Zoom incident will motivate app developers
to remove the Facebook SDK when possible.

~~~
GrinningFool
In most cases, it's not really up to the app developers.

------
saagarjha
From the crash log, it looks like the server response it's getting back is
missing a field that the SDK wants. Facebook should be able to fix this on
their end?

Edit: from the issue it looks like they've done something, but people are
still reporting crashes…

~~~
Matthias247
The description is definitely weird. Any server change change should never
crash an app, which should have proper validation for all data that it
receives.

Thereby the mitigation "to update something on the server that takes time to
propagate" also sounds wrong more like a rollback/mitigation than a fix of the
actual issue.

------
felubra
This comment made my day LOL [https://github.com/facebook/facebook-ios-
sdk/issues/1374#iss...](https://github.com/facebook/facebook-ios-
sdk/issues/1374#issuecomment-624939133)

------
aboringusername
I really think the use of remote, undocumented and unknown code just needs to
end. Including the SDK which can make changes invisibly should never be an
acceptable practice.

And it's why I am weary of installing apps in general. Tip: use f-droid, check
privacy exodus and stick to the browser where possible, where you can have
much greater control, and not be spied on by FB.

------
bschwindHN
Hi everyone,

Please use the oauth-only version for login and strip the facebook SDK garbage
from your apps. It seems it's not worth the trouble.

~~~
drawkbox
The Facebook SDK is a single point of failure it seems.

If you must integrate Facebook, it is better to use OAuth + API and then
control every call, only necessary ones needed i.e. login, friends, maybe game
leaderboards, profile photo, etc.

Not sure why people are still putting the Facebook SDK in their apps, it is
basically malware and tracking for authoritarian ends [1][2].

Engineers are supposed to be anti-authoritarians.

Engineers are supposed to be into decentralization and distributed systems,
and not have single points of failure like libs with hard crashes that inject
network calls that don't fail gracefully before your app can even launch.

[1] [https://www.nytimes.com/2017/11/05/world/yuri-milner-
faceboo...](https://www.nytimes.com/2017/11/05/world/yuri-milner-facebook-
twitter-russia.html)

[2] [https://www.theguardian.com/news/2017/nov/05/russia-
funded-f...](https://www.theguardian.com/news/2017/nov/05/russia-funded-
facebook-twitter-investments-kushner-investor)

~~~
busymom0
> Engineers are supposed to be anti-authoritarians

Strongly disagree on this. Exact opposite maybe but I don't want to
generalize. Modern authoritarian tactics are pretty much impossible without
engineering.

~~~
ergl
Wait, are you saying that (software) engineers should _actually_ be
authoritarian? And you suggest this is because otherwise "authoritarian
tactics" wouldn't work?

~~~
busymom0
No, I did not say that. I am not even talking about what they should or
shouldn't be. There's no set rule which says engineers are supposed to be pro-
authoritarians or anti-authoritarians.

I was disagreeing with what the parent said: "Engineers are supposed to be
anti-authoritarians."

I take that to mean that the person thinks engineers are anti-authoritarians -
which is simply false and not what happens in real life. Engineers are often
enablers of authoritarians.

And this is a bad thing but just fact of life. Humans are flawed and greedy
for power. There are higher chances of someone with power to abuse it
(engineer in this example but could apply to others too).

~~~
ergl
Ah, right. Your wording of "Exact opposite maybe" made me think you were
suggesting that.

I agree that what engineers _should_ be is different from engineers _actually_
are, and that today you see how software is definitely enabling authoritarian
rule. I wish it wasn't so, and I guess that's what OP wanted to communicate.

------
yumraj
Is there a comprehensive list of applications that have the FB SDK in them so
that I can decide to not install those?

Does Apple use FB SDK in their apps? I think not, but can someone confirm?

------
veeti
Same thing happened with Google Maps SDK just a few weeks ago.

[https://www.reddit.com/r/androiddev/comments/g6t8fu/google_m...](https://www.reddit.com/r/androiddev/comments/g6t8fu/google_maps_sdk_error_started_popping_on_last_hour/)

------
jasonlingx
> This is insane, half of the apps on my phone aren't launching!

> Please move slower and break fewer things. Thank you.

------
cpv
Maybe this will motivate product owners, developers, marketers, to start
thinking before implementing a dozen of SDKs in a mobile app (or website).
It's understandable when you need some analytics/crash reporting, but it
becomes a privacy and ethics question when a lot of data is wandering around,
and even better, crashes your app. And the users will blame you, they don't
even know how many SDKs are there and what they are doing.

~~~
sakarisson
> And the users will blame you

Rightfully so. If you add an SDK to you app, it's your fault if the SDK causes
your app to crash.

------
tomduncalf
A similar thing happened with Google Maps recently:
[https://twitter.com/GergelyOrosz/status/1253608276660551680](https://twitter.com/GergelyOrosz/status/1253608276660551680)

Not sure what the lesson is, other than that you can’t trust third party code,
even if it’s written by the worlds largest companies!

------
asquabventured
Waze, a company owned by Google was also broken and force crashing over and
over again for a few hours.

Whenever I hear of some Facebook offering all I think of is when you dance
with the devil, you shouldn't be surprised when you get burned.

------
trustfundbaby
Wow. At almost exactly the time that report was filed ... about 30-40 Minutes,
my spotify ios app started crashing. I was listening to a song on my desktop,
and wanted to share it on my instagram so I went to the app to do it.
everytime I opened up the app it would crash immediately, I restarted my
phone, tried it again, and it was fine for about 5 seconds and then crash ...
crash ... crash ...

I filed a report with Spotify and by the time they got back to me, the problem
had gone away ... I thought it was very odd, until I read this post ...

I guess now I know what happened.

------
brenden2
This is one of several reasons why I refuse to install apps unless I
absolutely must. You have no way of knowing what kind of spyware is bundled
with them, and there's no way to block it (like you can in a proper browser
with uBlock Origin).

------
0h139
Is there a postmortem available on this? Perhaps I missed it in the sea of
comments.

~~~
seumars
I've always wondered how the word postmortem found its way into tech. Are we
calling code reviews autopsies now?

------
pkage
Looks like it's back to normal (ish) now. I'm curious as to what kind of
testing they have that this wasn't caught by a test suite though--login
integration seems like an incredibly important thing to not break.

------
bvandewalle
Is there a list somewhere of all the apps importing the spyware Facebook SDK?

------
manigandham
For all the privacy stuff that Apple does on Safari, it does absolutely
nothing against the tracking issues in the mobile app ecosystem.

The unspoken rule is because apps make money for Apple and websites don't.

------
gwittel
Ouch. Not knowing how the iOS apps are written, two questions come to mind:

1) Why wasn’t the SDK written to tolerate bad data and fail gracefully?

2) Could clients integrating the SDK be written to tolerate failures like
this?

------
addicted2Code
I had to remove the SDK a few months ago due to it causing crashes. If I
remember correctly they injected some code into didSelectRowAtIndexPath for
table / collection views...Looks like its fixed now but I definitely won't be
adding it back, [https://github.com/facebook/facebook-ios-
sdk/issues/1318](https://github.com/facebook/facebook-ios-sdk/issues/1318)

------
fxtentacle
How to gain market share? Release a breaking server-side update and "forget"
to inform other vendors in time so that their apps crash, while yours do not.

------
user982
Zoom dodged this bullet.

~~~
ilikehurdles
And got so much flak for it. How much "zomg you're spying on me" press are the
other 50% of the iOS ecosystem going to receive for doing the same thing Zoom
did, going on a decade.

~~~
Nextgrid
Just because others are doing it doesn't make it okay.

------
lucasar
You beat me by a couple of minutes. Dear Facebook: Please move slower and
break fewer things. Thank you very much.

------
joeblau
This is a good resource to see who is being impacted[1].

[1] - [https://downdetector.com](https://downdetector.com)

------
kjgkjhfkjf
This is a nice demonstration of why exceptions, in particular untyped
exceptions, are a major liability.

------
xenospn
I had no idea why my app was suddenly crashing multiple times all of a sudden.
God fucking damnit.

------
vmception
Hm my whatsapp crashed midcall today, wonder if they use the Facebook SDK or
something else

~~~
alex-wallish
Given that whatsapp is owned by facebook, that seems very likely.

~~~
vmception
that's exactly why I was wondering if they use something else, a better
internal shared library for accessing facebook services

------
nickpinkston
Move fast and break other things

------
floatingatoll
18 minutes ago:

> _Server side change is already reverted. The crash will vanish._

~~~
jfim
> Still crashing 30 minutes after your revert. Are you sure you reverted the
> right thing?

------
outside1234
Ah that is what is happening!!! Thanks HN. :)

------
bilifuduo
Guess Joma was right:
[https://www.youtube.com/watch?v=rR4n-0KYeKQ](https://www.youtube.com/watch?v=rR4n-0KYeKQ)

------
sferik
At least they moved fast.

------
anticensor
This is surely a competition violation, wordly blocking competing products
from operating.

------
lennykhazan
guess we're back to "move fast and break things"

~~~
Austin_Conlon
Move slowly with unstable infra.

------
ExactActuation
But all of the engineers passed LeetCode, how could this be?

~~~
ignoramous
Facebook engineering generally is super competent. Leet code or not, such slip
ups are bound to happen from time to time. True test of competence would be
these mistakes don't repeat and that they learn from it, which I'm pretty sure
they would.

~~~
5cott0
So you're saying we can be confident they won't break democracy again?

~~~
pb7
What does that have to do with engineering talent?

~~~
5cott0
It has everything to do with it. Software engineers should take care to
consider the risks and potential downsides to the shady products they build
with that talent that aren't just downtime or tech debt but the larger impact
to society itself. Silicon Valley prioritizes technical talent while
completely disregarding strength and quality of character.

------
lifeAsNerd
But Apple advertising says we have privacy!

------
32gbsd
good

------
sreekotay
Unpopular opinion: bugs happen. Be bold.

~~~
ksml
What's "be bold" supposed to mean?

~~~
saagarjha
Break every application that links your SDK, of course.

------
scottmf
I’m calling it “lefb-pad”

------
wicket
Is this a library or an SDK? Why on earth would you install an SDK on an end-
user's phone?

~~~
jannes
The SDK contains the library. I guess in app developer circles these terms are
conflated.

------
AzzieElbab
10 to 1 it is going to be about SDKs generated from php with its bizzaire
associate arrays.

