On Recent Widespread iPhone App Crashes Caused by Facebook SDK

Technology Jul 20, 2020

About a week ago on Jul 10, I found my Spotify app crashing every time I opened it. It worked when I switched to the airplane mode. I googled a bit and found that a similar incident in May 2020 was caused by Facebook SDK. The solution of null-routing all Facebook URLs made my apps worked again.

There were several reports of iPhone apps suddenly starting to crash on Twitter. Any iPhone app that had included Facebook SDK was crashing with the following error

Fatal Exception: NSInvalidArgumentException
...
[FBSDKRestrictiveDataFilterManager updateFilters:] + 80 (FBSDKRestrictiveDataFilterManager.m:80)
...

The root cause was traced to an init call by Facebook SDK.

Background

Adding Facebook Login to an iOS app is a quick way to increase signup conversion rates. Almost everyone already has a Facebook account and signing up by filling registration form is a hassle. Social login like Facebook also do the heavy lifting of handling authentication flow, and app developers can focus on developing core functionalities.

When an iPhone app has to make "Login with Facebook" feature available, it is required to include Facebook SDK in the source code. Facebook discourages providing a custom login flow on iOS with web API calls.

Previous Incidents

Jul 10 incident was not the first time it had happened. A similar incident was reported earlier this year on May 6. Facebook had resolved the issue at that time, evidently, not permanently though.

Other Issues with Facebook SDK

A basic iOS app archive without any functionality is about 1 MB in size. Adding the latest Facebook iOS SDK to provide "Login with Facebook" feature inflates the app archive to 8 MB. That's 7 MB increase for simply showing a login page and redirecting it to Facebook. Is it really worth it?

Facebook SDK is a privacy hazard too. Some of the data Facebook collects is personal information. If the app doesn't get its own consent from users, the app developer, and not Facebook, is on the hook for violating GDPR.

Resolution and Aftermath

Facebook did resolve the issue on the same day, but its updates have been terse and uninformative.

Resolved
Updated: July 10 at 10:28 PM
Earlier today, a code change triggered crashes for some iOS apps using the Facebook SDK. We identified the issue quickly and resolved it. We apologize for any inconvenience.

The ability of a third-party library crashing an app demonstrates the sheer fragility of the mobile app ecosystem. This, in the age of automated testing, CI/CD pipelines, cannot be acceptable.

There have been calls for Facebook to publish full post-mortem of the incident and make changes from preventing from ever happening again. However, Facebook has not been forthcoming in its communication on this and previous incidents.

Mitigation

  1. Remove "Login with Facebook" feature. There is even more incentive to remove all social logins altogether, with the recent introduction of mandatory "Sign in with Apple" requirement.
  2. Don't include Facebook SDK and build Login Flow manually.
  3. Include a 'Kill" switch to disable Facebook SDK.
  4. Disable Facebook auto-init in the application's .plist file
<key>FacebookAutoInitEnabled</key>
<false/>

Brajesh Sachan

Brajesh, drives direction of Deskera’s future technology and shapes Deskera as the technology leader. With his expertise and over 15 years of experience, he has significantly contributed to Deskera

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.