Your custom browser might be getting detected as a MITM attack on your account.<p>If that is the case, take a look at <a href="https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html" rel="nofollow">https://security.googleblog.com/2019/04/better-protection-ag...</a> for the official statement and at <a href="https://stackoverflow.com/questions/59480956/browser-or-app-may-not-be-secure-try-using-a-different-browser-error-with-fl" rel="nofollow">https://stackoverflow.com/questions/59480956/browser-or-app-...</a> and all the resources that it links to for some workarounds.
Google doesn't allow auth in a webview. The reasoning is that any application prompting you to login with a 3rd party service (ex: google/facebook/twitter/etc) in a webview can compromise the account.<p>Technically, they're correct - It's pretty easy to inject code into a webview you own, and it can do basically anything it likes (for example - record the username/password you just entered into the Google login page).<p>So Google's stance is that you need to use a browser they approve of to access your account, and if they spot a webview they tend to block it and show this message.<p>I'm conflicted - As someone responsible for doing security audits, their concerns are fair.<p>As someone who does not believe Google is operating with any vestiges of the "Do no evil" motto, this is also a very convenient way to block new entries to the browser market.
Does anyone know how they're detecting this? User agents can be changed and JS APIs can be modified with very little effort. Short of making something absolutely insane and forcing everyone to go along like they did with SafetyNet on Android, I don't see a way for this to actually work...