Hey folks,
I know that simple uninstalling of Android app does not clear user credentials because of cookies in CustomChromeTabs.
BUT
I see that ChatGPT app on Android and their Android app does not store user credentials after uninstall. So it is possible.
What auth0 API to use to achieve the same behavior?
Hi @oleksandrpriadko, and welcome to the Auth0 Community!
An Android app cannot selectively clear the browser’s session cookie only upon uninstallation. This is because the Android OS provides no mechanism for an app to execute code (like a logout call) as it’s being removed.
Apps like ChatGPT likely achieve this behavior by using an embedded WebView for their login process instead of a Chrome Custom Tab. A WebView is an in-app browser component whose data (including cookies) is stored as part of the application’s private files. When you uninstall the app, the Android OS deletes all of this private data, including the WebView’s cookies, effectively clearing the session.
An alternative would be to use an ephemeral session, but that would clear the cookies every time the app is closed, and I assume that is not what you want.
I’m sorry I couldn’t provide you with a solution.
Have a great day!
Teodor.
Hey @teodor.andrei thanks for the reply! I see.
- Is it safe to use WebView instead of ChromeCustomTab?
- Is there a way to make cookies on Android device irrelevant by terminating session through the auth0 management api?
Thanks.
You’re right — a normal uninstall doesn’t always clear credentials if sessions are cached via WebView or Chrome Custom Tabs. The reason the ChatGPT app (and similar apps) don’t retain credentials after uninstall is because they implement proper logout flows tied to their identity provider.
If you’re using Auth0, you’ll need to:
-
Call the /logout endpoint (
/v2/logout
) to clear the Auth0 session. -
Pass along your app’s client ID and return-to URL to ensure a proper redirect after logout.
-
Optionally, clear app storage (SharedPreferences, cookies, cache) on uninstall or app reset.
This way, the credentials won’t persist once the app is removed or reinstalled.
my question is how ChatGPT does logout without invoking ChromeCustomTab.
Hey @teodor.andrei thanks for the reply! I see.
-
Is it safe to use WebView instead of ChromeCustomTab?
-
Is there a way to make cookies on Android device irrelevant by terminating session through the auth0 management api?
Thanks.
Hi again @oleksandrpriadko !
I don’t have much experience with WebView, but I’ll provide the information I found online.
- Is it safe to use WebView instead of ChromeCustomTab?
WebView is broadly considered less safe than using Chrome Custom Tabs for authentication. While a WebView can be implemented securely, it shifts a significant security burden onto you. The industry best practice, advocated by both Google and identity standards like OAuth 2.0 for Native Apps (RFC 8252), is to use the system browser via Chrome Custom Tabs.
- Is there a way to make cookies on Android device irrelevant by terminating session through the auth0 management api?
Yes, absolutely, please check out this docs page, but that requires a trigger, such as a user clicking on a “Log out all devices” button. I’m not sure how you will trigger this logout on uninstall, but perhaps there is something out there that I haven’t thought of.
Have a great day!
Teodor.