Facebook login SDK permissions review for hybrid mobile app

This is a question to other members of the Auth0 community who are in a similar situation. We have invested in the development of a hybrid mobile app using Auth0 to provide authentication via several SNS including Facebook. We are about to submit our notes for permissions review.

Our setup uses Ionic / Cordova & Angular. But the question is equally valid to React developers I believe.

Facebook has recently updated its requirements with regards to mobile apps. This is very concerning since we, and I imagine many other hybrid mobile developers such as those using React (itself developed by Facebook!), are not using the Facebook SDK. It says:

Mobile apps (iOS, Android, and Windows) must use the latest Facebook SDK.
The language used seems quite strong given the MUST statement. However, a few paragraphs below it reads:
All iOS and Android apps should use our SDKs for iOS and Android for requesting permissions.

  1. I would like to understand the best way to make the Facebook review, since the app does not use the Facebook SDK, and our login process is not as smooth as Facebook expects it to be on mobile (because anyone using Auth0 from a hybrid javascript based mobile app will inevitably be dealing with a “web view” and will need to provide their password upon each login attempt). This goes against Facebook policy.

  2. If Facebook rejects a non-native login flow (with their new permissions review) for any hybrid mobile app which does not use the Facebook SDK, such as anyone developing with Auth0 in a hybrid context, then Auth0 should put a massive disclaimer.

Bottom line, can and should we apply as website or mobile platform or both? Our javascript code and app layout is not intended to be published as a website…

This is not a definitive answer as that may only be given by Facebook themselves. However, with regards to your point number one, technically it is possible to implement the authentication through a non-webview mechanism, for example, the system browser. This would mean that the end-user would not have to provide credentials again if he’s already authenticated to Facebook (within the system browser). See: GitHub - auth0/auth0-cordova: Auth0 integration for Cordova apps

In addition, as part of the Facebook SDK requirements you linked there’s a section on Javascript that bears the following notice:

You may receive Developer Alerts if you embed your own web view to render login dialogs within your native apps for iOS and Android.

This seems to indicate it’s acceptable to use the Javascript SDK as part of native apps (the hybrid ones I suppose) although if you use it as part of a web view you may get alerts. If you then follow the link to the Javascript SDK you’ll also see:

If for some reason you can’t use our JavaScript SDK you can also implement Facebook Login without it.

The above then shows how to implement the web flow manually based on redirects which is something you’ll get if you go through Auth0. In conclusion, I would check with Facebook itself, but it seems using a web flow (redirect-based) not directly within a web view is something acceptable.

Just FYI to anyone in a similar situation: we have successfully completed our app review with Facebook. So it looks like there are no real restrictions on javascript hybrid mobile apps and were able to obtain all permissions requested. The login process clearly uses a web view (since we have customized some aspects and don’t use the auth0 lock widget for example).

On a side note, Facebook requests submissions to provide both a fully functional APK and iOS simulator build along with the videos that show how the permissions requested are used. Looking at our API logs and Auth0 admin dashboard, it seems like FB testers have never run the simulator build or APK package with any test users.

I think (and this is just an opinion and does not constitute some sort of advice of course) that the overall quality of your app, UI, instructions & video may impact the review process positively. Submitting anything “unfinished” should be avoided. Also the overhead of doing a sim build as an admin formality is minimal.

1 Like

Thanks for taking time to share the outcome of your review process.