Facebook iOS SDK Remotely Crashing Spotify, TikTok, Pinterest, Winno and More

824 点作者 MCKapur大约 5 年前

48 条评论

fooey大约 5 年前

Seems to be some suggestions now that apps were continuing to crash even after commenting out the FB implementation because FB is managing to do remote API calls just because the framework is linked.<a href="https://github.com/facebook/facebook-ios-sdk/issues/1373#issuecomment-624944045" rel="nofollow">https://github.com/facebook/facebook-ios-sdk/issues/1373#iss...</a>> It does not matter. Their libraries are dynamic, and they abuse +load functions for classes with some business logic calls. So, +load will be called anyway on the application launch when dyld loads all linked frameworks.and> I really don't understand why it is still crashing when we turn it off? Could you please explain, why there is a remote connection even we comment out the implementation? Linking binary framework just enough to break things down, why? What do you do in background? Sending or receiving some data even it's not been initialized?

评论 #23100375 未加载

评论 #23097957 未加载

评论 #23100869 未加载

评论 #23098715 未加载

yllus大约 5 年前

For those wondering why the Facebook SDK is so widely used in popular mobile apps: Facebook Login is actually in the minority of reasons to add the Facebook SDK to your mobile app. The vast majority of apps will add the Facebook SDK because it contains Facebook App Ads; a library that "completes the circle" in terms of finding out how effectively the ads you ran on Facebook were at getting people to download, install and run your mobile app. So really the Facebook SDK is there to collect data of that advertisement being effective and provides both Facebook and the mobile app developer with knowledge of how their ad spend went.Is that "spyware"? Some would call it merely wanting to know if your marketing budget was wisely spent - I suppose a lot depends on what data it collects on people.More info: <a href="https://developers.facebook.com/docs/app-ads" rel="nofollow">https://developers.facebook.com/docs/app-ads</a>

评论 #23098632 未加载

评论 #23099529 未加载

评论 #23099700 未加载

评论 #23099423 未加载

评论 #23101931 未加载

评论 #23099853 未加载

评论 #23097939 未加载

评论 #23101848 未加载

评论 #23098499 未加载

评论 #23100001 未加载

评论 #23097940 未加载

评论 #23097900 未加载

评论 #23098535 未加载

评论 #23098476 未加载

评论 #23098171 未加载

surferbayarea大约 5 年前

Why is facebook spyware part of Spotify. I signed up to Spotify via email not facebook login.

评论 #23097724 未加载

评论 #23097933 未加载

评论 #23099146 未加载

评论 #23097806 未加载

评论 #23097870 未加载

评论 #23098925 未加载

评论 #23097838 未加载

lancefisher大约 5 年前

We found a couple workarounds while Facebook was busy fixing this.1. Airplane mode 2. Block facebook.com as adult content under Settings | Screen Time | Content Restrictions | Web Content | Limit Adult Websites | Add a site. 3. Block facebook.com at your router.Option 2 could be helpful if you want to block it for privacy reasons.

评论 #23099970 未加载

评论 #23105994 未加载

g_p大约 5 年前

Perhaps this outage will raise awarenesses more broadly as to the prevalence of "non essential" third party SDKs like these, and the risk that their failure can significantly impact on the wider ecosystem.I can't imagine Apple will be all too pleased by this. Perhaps time for them to look at clamping down on SDKs that make remote network requests? (Given they have their own private sign in system now as well, they might even have a secondary incentive)

评论 #23098016 未加载

评论 #23098036 未加载

评论 #23099664 未加载

评论 #23100263 未加载

firloop大约 5 年前

I block all Facebook domains with the NextDNS iOS app — didn't seem to be affected by this. Blocking spyware has its perks.

评论 #23097959 未加载

评论 #23097872 未加载

评论 #23098805 未加载

MCKapur大约 5 年前

Also: Tinder, Venmo, GrubHub (think of the botched deliveries heh), and more. An ongoing list here: <a href="https://twitter.com/aburninghilll/status/1258169688959352832" rel="nofollow">https://twitter.com/aburninghilll/status/1258169688959352832</a>Also see: <a href="https://github.com/facebook/facebook-ios-sdk/issues/1373" rel="nofollow">https://github.com/facebook/facebook-ios-sdk/issues/1373</a>

whatthesmack大约 5 年前

We have a few thousand apps on the App Store and got bit by this today.The SDK is very useful for a smooth login experience if the user has the Facebook app installed, because your app can offer Facebook as a login option, then just pop the user over to the Facebook app, they can tap “okay” (or whatever), and jump back to your app.That said, we’re going to rip this thing out of our apps ASAP. No framework should be calling network code in “+load”. The convenience for the user (and the dirty tracking Facebook apparently does) is just not worth the trade-off of handing our app’s stability over to Facebook.

评论 #23099012 未加载

a-wu大约 5 年前

I hope that this incident and the Zoom incident will motivate app developers to remove the Facebook SDK when possible.

评论 #23103078 未加载

saagarjha大约 5 年前

From the crash log, it looks like the server response it's getting back is missing a field that the SDK wants. Facebook should be able to fix this on their end?Edit: from the issue it looks like they've done something, but people are still reporting crashes…

评论 #23098745 未加载

评论 #23097662 未加载

felubra大约 5 年前

This comment made my day LOL <a href="https://github.com/facebook/facebook-ios-sdk/issues/1374#issuecomment-624939133" rel="nofollow">https://github.com/facebook/facebook-ios-sdk/issues/1374#iss...</a>

aboringusername大约 5 年前

I really think the use of remote, undocumented and unknown code just needs to end. Including the SDK which can make changes invisibly should never be an acceptable practice.And it's why I am weary of installing apps in general. Tip: use f-droid, check privacy exodus and stick to the browser where possible, where you can have much greater control, and not be spied on by FB.

bschwindHN大约 5 年前

Hi everyone,Please use the oauth-only version for login and strip the facebook SDK garbage from your apps. It seems it's not worth the trouble.

评论 #23100044 未加载

yumraj大约 5 年前

Is there a comprehensive list of applications that have the FB SDK in them so that I can decide to not install those?Does Apple use FB SDK in their apps? I think not, but can someone confirm?

veeti大约 5 年前

Same thing happened with Google Maps SDK just a few weeks ago.<a href="https://www.reddit.com/r/androiddev/comments/g6t8fu/google_maps_sdk_error_started_popping_on_last_hour/" rel="nofollow">https://www.reddit.com/r/androiddev/comments/g6t8fu/google_m...</a>

jasonlingx大约 5 年前

> This is insane, half of the apps on my phone aren't launching!> Please move slower and break fewer things. Thank you.

cpv大约 5 年前

Maybe this will motivate product owners, developers, marketers, to start thinking before implementing a dozen of SDKs in a mobile app (or website). It's understandable when you need some analytics/crash reporting, but it becomes a privacy and ethics question when a lot of data is wandering around, and even better, crashes your app. And the users will blame you, they don't even know how many SDKs are there and what they are doing.

评论 #23100590 未加载

tomduncalf大约 5 年前

A similar thing happened with Google Maps recently: <a href="https://twitter.com/GergelyOrosz/status/1253608276660551680" rel="nofollow">https://twitter.com/GergelyOrosz/status/1253608276660551680</a>Not sure what the lesson is, other than that you can’t trust third party code, even if it’s written by the worlds largest companies!

asquabventured大约 5 年前

Waze, a company owned by Google was also broken and force crashing over and over again for a few hours.Whenever I hear of some Facebook offering all I think of is when you dance with the devil, you shouldn't be surprised when you get burned.

trustfundbaby大约 5 年前

Wow. At almost exactly the time that report was filed ... about 30-40 Minutes, my spotify ios app started crashing. I was listening to a song on my desktop, and wanted to share it on my instagram so I went to the app to do it. everytime I opened up the app it would crash immediately, I restarted my phone, tried it again, and it was fine for about 5 seconds and then crash ... crash ... crash ...I filed a report with Spotify and by the time they got back to me, the problem had gone away ... I thought it was very odd, until I read this post ...I guess now I know what happened.

brenden2大约 5 年前

This is one of several reasons why I refuse to install apps unless I absolutely must. You have no way of knowing what kind of spyware is bundled with them, and there's no way to block it (like you can in a proper browser with uBlock Origin).

0h139大约 5 年前

Is there a postmortem available on this? Perhaps I missed it in the sea of comments.

评论 #23101092 未加载

pkage大约 5 年前

Looks like it's back to normal (ish) now. I'm curious as to what kind of testing they have that this wasn't caught by a test suite though--login integration seems like an incredibly important thing to not break.

bvandewalle大约 5 年前

Is there a list somewhere of all the apps importing the spyware Facebook SDK?

manigandham大约 5 年前

For all the privacy stuff that Apple does on Safari, it does absolutely nothing against the tracking issues in the mobile app ecosystem.The unspoken rule is because apps make money for Apple and websites don't.

gwittel大约 5 年前

Ouch. Not knowing how the iOS apps are written, two questions come to mind:1) Why wasn’t the SDK written to tolerate bad data and fail gracefully?2) Could clients integrating the SDK be written to tolerate failures like this?

addicted2Code大约 5 年前

I had to remove the SDK a few months ago due to it causing crashes. If I remember correctly they injected some code into didSelectRowAtIndexPath for table / collection views...Looks like its fixed now but I definitely won't be adding it back, <a href="https://github.com/facebook/facebook-ios-sdk/issues/1318" rel="nofollow">https://github.com/facebook/facebook-ios-sdk/issues/1318</a>

fxtentacle大约 5 年前

How to gain market share? Release a breaking server-side update and "forget" to inform other vendors in time so that their apps crash, while yours do not.

user982大约 5 年前

Zoom dodged this bullet.

评论 #23098054 未加载

lucasar大约 5 年前

You beat me by a couple of minutes. Dear Facebook: Please move slower and break fewer things. Thank you very much.

joeblau大约 5 年前

This is a good resource to see who is being impacted[1].[1] - <a href="https://downdetector.com" rel="nofollow">https://downdetector.com</a>

kjgkjhfkjf大约 5 年前

This is a nice demonstration of why exceptions, in particular untyped exceptions, are a major liability.

xenospn大约 5 年前

I had no idea why my app was suddenly crashing multiple times all of a sudden. God fucking damnit.

vmception大约 5 年前

Hm my whatsapp crashed midcall today, wonder if they use the Facebook SDK or something else

评论 #23098089 未加载

nickpinkston大约 5 年前

Move fast and break other things

floatingatoll大约 5 年前

18 minutes ago:> Server side change is already reverted. The crash will vanish.

评论 #23097668 未加载

outside1234大约 5 年前

Ah that is what is happening!!! Thanks HN. :)

bilifuduo大约 5 年前

Guess Joma was right: <a href="https://www.youtube.com/watch?v=rR4n-0KYeKQ" rel="nofollow">https://www.youtube.com/watch?v=rR4n-0KYeKQ</a>

sferik大约 5 年前

At least they moved fast.

anticensor大约 5 年前

This is surely a competition violation, wordly blocking competing products from operating.

lennykhazan大约 5 年前

guess we're back to "move fast and break things"

评论 #23097647 未加载

ExactActuation大约 5 年前

But all of the engineers passed LeetCode, how could this be?

评论 #23097866 未加载

评论 #23099069 未加载

评论 #23097853 未加载

评论 #23097960 未加载

评论 #23097904 未加载

lifeAsNerd大约 5 年前

But Apple advertising says we have privacy!

32gbsd大约 5 年前

good

sreekotay大约 5 年前

Unpopular opinion: bugs happen. Be bold.

评论 #23097911 未加载

评论 #23097963 未加载

评论 #23099895 未加载

scottmf大约 5 年前

I’m calling it “lefb-pad”

wicket大约 5 年前

Is this a library or an SDK? Why on earth would you install an SDK on an end-user's phone?

评论 #23101501 未加载

AzzieElbab大约 5 年前

10 to 1 it is going to be about SDKs generated from php with its bizzaire associate arrays.