tomerpacific

Did You Know That Every Expo App Includes Facebook's SDK?

How Expo Is Fooling Everyone

React Native has been out there for a while now and it has amassed quite a following. Just by looking at the GitHub repository, the numbers are astounding:
With the framework itself, a new tool was also created called Expo. Now, you might be confused at this point, since the differences between React Native and Expo are not apparent right off the bat. Basically, Expo is an obfuscation layer on top of React Native, allowing the user to build applications without really having to deal with writing native code. It is essentially an SDK (Software Development Kit) that simplifies the process of developing a native application to developers by exposing the native components and various libraries. It also has a built in cli (command line interface) allowing for various actions (creation, logs, publishing). So, we know that React Native was developed by Facebook, but Expo is supposedly not associated to it in any way, right?
This is where things get interesting, because there are a number of hidden “gems” that are not revealed to developers who use Expo. If you have developed and published an application using Expo, this might not be as surprising to you. But, if you are considering to do so, you need to be aware of the “features” I will be presenting in this article.

Full Disclosure 

If you go over to Expo’s website, and click the links that will lead you to their documentation, you will get to a link titled “Why not Expo?”. In the documentation, various reasons are given as to why you shouldn’t be using Expo:
  • Support of all types of background code execution is limited
  • Increased application size
  • Using a different push notification service than Expo’s
  • Minimum versions of supported operating systems
Seems pretty legit, right? They’re willing to show us their cards and share some downsides of their tool. 
That’s some honesty for you.
Thing is, they didn’t reveal all of their cards and I am here to call out their bluff.
Photo by Alex Haney on Unsplash, Facebook SDK
Every application you will develop with Expo will include the Facebook SDK within your application. If that doesn’t alarm you, it should. There is no reason to explicitly shove Facebook’s SDK to an application (anyone say Flashlight?) and the reason behind this doesn’t seem to me to be innocent. As we all know, Facebook is a data driven company and what better way is there to collect data? There is a reason the application size is large when using Expo, and including Facebook’s SDK is part of it. 
How did I stumble upon this? When publishing an Expo application to the Google Play Store, I was informed by the system that while I have marked that my application does not contain ads, it does contain Facebook’s SDK.
If this still doesn’t seem alarming to you, consider the notion of developing an application and not knowing someone inserted something to the code base without your knowledge.

Ads? Who Said Anything About Ads?

In addition to the previous point, an Expo application collects a plethora of user data. This might be fine if it was stated publicly, but the current reality is, that this happens without letting the developer know. In particular, all Expo application collect the Advertising ID from users. Why is this a problem? If we ignore the fact of hiding this from developers, it also makes publishers of Expo applications violate Google’s Developer Distribution Agreement. In particular, violation of usage of Android Advertising ID policy and section 4.8. 
To quote section 4.8:
You agree that if You make Your Products available through Google Play, You will protect the privacy and legal rights of users. If the users provide You with, or Your Product accesses or uses, usernames, passwords, or other login information or personal information, You agree to make the users aware that the information will be available to Your Product, and You agree to provide legally adequate privacy notice and protection for those users. Further, Your Product may only use that information for the limited purposes for which the user has given You permission to do so. If Your Product stores personal or sensitive information provided by users, You agree to do so securely and only for as long as it is needed. However, if the user has opted into a separate agreement with You that allows You or Your Product to store or use personal or sensitive information directly related to Your Product (not including other products or applications), then the terms of that separate agreement will govern Your use of such information. If the user provides Your Product with Google Account information, Your Product may only use that information to access the user’s Google Account when, and for the limited purposes for which, the user has given You permission to do so.
If you are collecting data about your users, you must supply a Privacy Policy with your application. But, if you do not know about this, your application will get removed from the Google Play Store and you will receive a frightening email from Google. Again, most developers don’t even know what Android’s Advertising ID is, so this is a pretty crummy tactic used by Expo.

And one more thing... Getting An APK/IPA

To get an APK/IPA of your application, you must either use the publish button in Expo Dev Tools or use the cli and run the command expo publish. What they don’t tell you about this process, is that no matter the size of your original application, this step can take a long time. How long? More than an hour. Compare that to creating an APK/IPA in Android Studio/Xcode and you won’t understand why it is taking that long. 
Now, the premise of Expo is that it is free. It is even stated in their FAQ. But, you will notice that while the build is running and it takes too long, you will get a prompt to upgrade (meaning, pay) for a premium service in Expo that will make your builds run faster.
This link will take you to a page titled Expo Developer Services, which will cost you $29 per month and allow your build times to be faster (among other services). I have nothing against Expo making money from services and am not going against the notion of a premium service, but it seems to be in bad taste to notify developers of this option when their builds are taking too long.
By now, you might be thinking that I have a certain grudge against Expo, but to be sincere, I don’t. They have built a great tool for developers which is free and allows more people to get into the mobile application development world. Similar to most things that are free in life, you can’t think that the motives behind them are innocent. Nothing in life comes without its disadvantages and it is important for you, as a developer, to know about them as well. So next time you are looking at a free service, think twice before you add it to your project.

Tags

Comments

September 4th, 2019

What data does the Facebook SDK within Expo apps send to Facebook?

September 6th, 2019

@David,

that is a question best answered by the Expo team or someone from Facebook.

Knowing their capabilities, the sky is the limit.

September 6th, 2019

Excellent question, and we might be able to figure it out with some digging…I’m no expert, but here are my thoughts:

Now, let’s imagine you have an app that’s using every feature of Expo available. A “kitchen sink demo”, if you will. When you’re using this demo app, you can connect your phone to your computer, and not only can you debug the app, and see what sort of calls are being made – you can essentially “dump” all of the traffic going to and from your phone to a log file. This may be noisy, but with an app like Wireshark, you could filter the data and see exactly which bits and bytes are being sent from Expo itself.

Of course, this doesn’t take encryption into account…if they’ve encrypted the traffic (which I sure as hell hope they do!) then you have a new challenge: decrypting the traffic without the key. As shown by exploits such as those against WEP wifi encryption, this is feasible, but not really within the reach of an average dev just trying to snoop around. (Also this may be illegal, yada yada yada, neither I nor Hacker Noon condones illegal activity.)

So in theory it’s possible, but if they’re encrypting the traffic…well, it all depends. If they’re using AES in ECB or CBC modes, a freshman taking a cryptography course could break it. If they’re using something stronger…again, it all depends. A cryptosystem is only as strong as its weakest link.

Come to think of it, if you could debug the app, and catch the app sending data to Facebook before it’s encrypted…you’ve won. But this assumes a lot, especially assuming that the debug build of the Expo library will be used in development. I’m sure they’ve covered their asses to some extent – the question is, how much?

I could go on, but, just like that, you’ve nerd sniped me. Dammit. :laugh: Back to the internet!

September 18th, 2019

Hi, I’m one of the co-founders of Expo and have worked on it for several years and have the context for why Expo works the way it does. I found several parts of this article to be incorrect or to suggest poor intent, which has never been the case at Expo. Developer trust is one of our greatest values so I’d like to explain more about Expo in a way that hopefully feels clear and understandable.

What is Expo? Expo is an open-source platform for creating universal native apps with React. Expo currently runs on Android, iOS, and web and by using JavaScript and React you can make apps that run in all three environments while getting access to many of the native capabilities of each of them. On Android and iOS we use React Native, and on web we use React DOM, which uses the “native” API of the web. Expo is not an “obfuscation layer,” though it does use Terser for web and uglify-es for Android and iOS, which minify your JavaScript.

If you’re interested more in the open-source aspect, check out our main GitHub repository at https://github.com/expo/expo! The GitHub repository contains the source code for the Android and iOS clients; dozens of libraries that provide support for the camera, A/V playback, custom fonts, and more; and the test infrastructure for the apps and libraries.

One part of Expo is the Android and iOS clients that assist you with development. These clients are optional but help manage part of the development workflow (we call this the “managed” workflow). They contain many different native libraries you can use in your projects, and when you are ready to submit to the App Store or Google Play, you can create standalone app binaries with the same native libraries.

Why does the Expo client contain the Facebook SDK? Most of the libraries we maintain are related to device functionality, like the camera, gyroscope sensors, screen brightness, and more. A small number of the libraries provide support for services like Facebook and Google Login — these libraries do include the services’ respective SDKs, including the Facebook SDK.

Expo supports Facebook Login (you can let your end users login with Facebook) and Facebook Ads (you can display mobile ads from Facebook in your app) because several developers needed the features and they are some of the most popular login and ad services. This is the sole reason why managed Expo apps contain the Facebook SDK. Facebook did not ask us to include the Facebook SDK in Expo.

Expo also supports Google Sign-In and Google AdMob for login and ads, respectively, as well as Google Maps. We also have a generic authentication library that works with a variety of OIDC and OAuth 2 services. In general, we prefer creating generalizable, company-agnostic libraries when we can.

To reaffirm, all of this source code is in a public GitHub repository, which is a great place to see our “cards,” to use the article’s metaphor. You don’t just get to see our hand — you can see just about the entire deck in our GitHub repos, where we do our development. And we’ll add an entry about the Google and Facebook libraries to our “Why not Expo?” page so it’s easier to see.

How can I exclude the Facebook SDK from an Expo app? Several Expo apps don’t include the Facebook SDK. You can do this with what we call the “bare” workflow, which gives you a high degree of control over bare Xcode and Android Studio projects.

In contrast with the managed workflow, with the bare workflow you can include and exclude libraries based on your needs. That is, if your Expo project is using the bare workflow and doesn’t include the Facebook Login and Facebook Ads libraries, your app won’t include the Facebook SDK unless you manually added it to your project some other way.

If you are using the managed workflow, the standalone apps will contain the Google and Facebook SDKs. This works for many developers and depending on your needs you can use the managed workflow or choose the bare workflow to customize and compile the app yourself.

What user data does Expo collect? We collect very little user data and, to our knowledge, specifically nothing that identifies individuals using Expo apps. If you use Expo’s managed workflow, apps request updates over HTTPS, and these requests do not contain unique device identifiers. There are many, many apps made with Expo published to the App Store and Google Play without issue and with respect & regard for user privacy. We also have a privacy policy on our website.

Does Expo collect Advertising IDs? The vast majority of Expo apps do not collect advertising IDs, and Expo (the company) does not collect nor use these IDs ourselves. Android and iOS both have advertising IDs, as mentioned in the article. They are used by the libraries for displaying ads (Google AdMob and Facebook Ads) and the Branch library. If you don’t use these libraries in your project, the advertising ID never leaves the user’s device and no service collects it.

One thing I want to be clear on is that Expo does not make money from ads. The ads libraries are solely for developers who choose to display ads in their own apps. We do not display ads to developers nor end users.

How does Expo make money? Generally, our plan for the business is to build services that help developers make and operate their apps. We’ve started with Expo Developer Services, a monthly plan for some services for making apps.

One of the features of this plan is that you get priority access when building your app binaries with the managed workflow. As Expo has grown, more developers are now submitting more builds, which requires more servers that are fairly expensive to operate. We introduced priority builds as a way for business users to help cover the server costs for building apps, which lets us in turn buy more server capacity. Fundamentally, the server cluster is a finite, shared resource and we think it’s fair that those who are paying for it get priority when using it. If you find that your build is taking too long, you can use the bare workflow and build your app binaries on your own computer (you’ll need a Mac for iOS builds).

We strongly believe in keeping the Expo platform free — keeping it free to make an Expo app on your own computer, similar to how it is free to build a web app on your own computer. It’s important to us that students can use Expo for class projects and that developers at companies can try Expo without getting a budget approved up front. We believe this is the best way Expo can succeed.

Like the web platform, we want making Expo apps to be free. And like the web platform, we want developers to be able to use whichever hardware or service providers they want to use. And like the web, some of those service providers cost money if you choose to use them.

These services are optional and part of the managed workflow — Expo manages various parts of app development for you — but you don’t need to use them with the bare workflow. That said, operating services like the app builders and over-the-air updates costs a meaningful amount of money added up across all the apps that use our services. To offer these services in a sustainable way and deliver the high performance and high reliability that projects need, we have to charge for them. There are no disingenuous motives, it’s simply reality. A lot of developers we talk to actually understand this intuitively and tell us they’d feel even better about building with Expo if they could pay for the services they are using. Directionally speaking, Expo services will be more like AWS, for example — there’s a free tier for smaller apps and for larger apps you only pay for what you use.


In summary, the Expo platform is free and open source. You don’t need to pay Expo to make an app, nor do you need to use any of our services. We’ve invested, and will continue investing, much of our time into the bare workflow so you can build your Expo apps on your own computer, host your over-the-air updates on your own web server, use your own push notification service, and so on.

In addition to the Expo platform, we operate and are working on next-generation, optional Expo services to manage parts of your development workflow for tasks like building your app binaries, deploying high-efficiency over-the-air updates, and sending high-volume push notifications. The next generation of these services will take meaningful time to develop and we don’t have a pricing model yet, but we think that AWS’s pricing model works well for a lot of people by aligning our costs with developers’ and charging only for what people use.

Lastly, I want to be unequivocally clear that developer trust is incredibly important to us and we look to do our work with integrity and quality. We made Expo open source, are working on a sustainable business model, and write posts like this to build that trust over time. Our decisions may not resonate with everyone, but this is how we do our work on Expo.

September 24th, 2019

Is it possible you can expand on the Expo managed apps include the Expo SDK?

On this page: https://docs.expo.io/versions/v35.0.0/sdk/facebook/ It says you’ll need to run expo install expo-facebook. So does it include it by default or do you need to install it for it to be included?

Thanks

September 25th, 2019

Managed apps currently include the Facebook SDK. When you run expo install expo-facebook, that command figures out the correct version of the expo-facebook package for your project and just runs npm install. The Objective-C and Java code for expo-facebook is already in the Expo client (for development) and in managed apps (for production).

The Facebook SDK also has some new options to disable more parts of it by default, and then later re-enable those parts programmatically. Ideally an Expo app that doesn’t use Facebook Login nor Ads wouldn’t send any network requests to Facebook. We’ll need to look into these new options more to determine their actual behavior and we plan to do that in the next release or two.

More by tomerpacific

Topics of interest