Hackernoon logoDid You Know That Every Expo App Includes Facebook's SDK? by@tomerpacific

Did You Know That Every Expo App Includes Facebook's SDK?

Author profile picture


How Expo Is Fooling Everyone

React Native has been out there for a while now and it has amassed quite a following. Just by looking at the GitHub repository, the numbers are astounding:
With the framework itself, a new tool was also created called Expo. Now, you might be confused at this point, since the differences between React Native and Expo are not apparent right off the bat. Basically, Expo is an obfuscation layer on top of React Native, allowing the user to build applications without really having to deal with writing native code. It is essentially an SDK (Software Development Kit) that simplifies the process of developing a native application to developers by exposing the native components and various libraries. It also has a built in cli (command line interface) allowing for various actions (creation, logs, publishing). So, we know that React Native was developed by Facebook, but Expo is supposedly not associated to it in any way, right?
This is where things get interesting, because there are a number of hidden “gems” that are not revealed to developers who use Expo. If you have developed and published an application using Expo, this might not be as surprising to you. But, if you are considering to do so, you need to be aware of the “features” I will be presenting in this article.

Full Disclosure 

If you go over to Expo’s website, and click the links that will lead you to their documentation, you will get to a link titled “Why not Expo?”. In the documentation, various reasons are given as to why you shouldn’t be using Expo:
  • Support of all types of background code execution is limited
  • Increased application size
  • Using a different push notification service than Expo’s
  • Minimum versions of supported operating systems
Seems pretty legit, right? They’re willing to show us their cards and share some downsides of their tool. 
That’s some honesty for you.
Thing is, they didn’t reveal all of their cards and I am here to call out their bluff.
Photo by Alex Haney on Unsplash, Facebook SDK
Every application you will develop with Expo will include the Facebook SDK within your application. If that doesn’t alarm you, it should. There is no reason to explicitly shove Facebook’s SDK to an application (anyone say Flashlight?) and the reason behind this doesn’t seem to me to be innocent. As we all know, Facebook is a data driven company and what better way is there to collect data? There is a reason the application size is large when using Expo, and including Facebook’s SDK is part of it. 
How did I stumble upon this? When publishing an Expo application to the Google Play Store, I was informed by the system that while I have marked that my application does not contain ads, it does contain Facebook’s SDK.
If this still doesn’t seem alarming to you, consider the notion of developing an application and not knowing someone inserted something to the code base without your knowledge.

Ads? Who Said Anything About Ads?

In addition to the previous point, an Expo application collects a plethora of user data. This might be fine if it was stated publicly, but the current reality is, that this happens without letting the developer know. In particular, all Expo application collect the Advertising ID from users. Why is this a problem? If we ignore the fact of hiding this from developers, it also makes publishers of Expo applications violate Google’s Developer Distribution Agreement. In particular, violation of usage of Android Advertising ID policy and section 4.8. 
To quote section 4.8:
You agree that if You make Your Products available through Google Play, You will protect the privacy and legal rights of users. If the users provide You with, or Your Product accesses or uses, usernames, passwords, or other login information or personal information, You agree to make the users aware that the information will be available to Your Product, and You agree to provide legally adequate privacy notice and protection for those users. Further, Your Product may only use that information for the limited purposes for which the user has given You permission to do so. If Your Product stores personal or sensitive information provided by users, You agree to do so securely and only for as long as it is needed. However, if the user has opted into a separate agreement with You that allows You or Your Product to store or use personal or sensitive information directly related to Your Product (not including other products or applications), then the terms of that separate agreement will govern Your use of such information. If the user provides Your Product with Google Account information, Your Product may only use that information to access the user’s Google Account when, and for the limited purposes for which, the user has given You permission to do so.
If you are collecting data about your users, you must supply a Privacy Policy with your application. But, if you do not know about this, your application will get removed from the Google Play Store and you will receive a frightening email from Google. Again, most developers don’t even know what Android’s Advertising ID is, so this is a pretty crummy tactic used by Expo.

And one more thing... Getting An APK/IPA

To get an APK/IPA of your application, you must either use the publish button in Expo Dev Tools or use the cli and run the command expo publish. What they don’t tell you about this process, is that no matter the size of your original application, this step can take a long time. How long? More than an hour. Compare that to creating an APK/IPA in Android Studio/Xcode and you won’t understand why it is taking that long. 
Now, the premise of Expo is that it is free. It is even stated in their FAQ. But, you will notice that while the build is running and it takes too long, you will get a prompt to upgrade (meaning, pay) for a premium service in Expo that will make your builds run faster.
This link will take you to a page titled Expo Developer Services, which will cost you $29 per month and allow your build times to be faster (among other services). I have nothing against Expo making money from services and am not going against the notion of a premium service, but it seems to be in bad taste to notify developers of this option when their builds are taking too long.
By now, you might be thinking that I have a certain grudge against Expo, but to be sincere, I don’t. They have built a great tool for developers which is free and allows more people to get into the mobile application development world. Similar to most things that are free in life, you can’t think that the motives behind them are innocent. Nothing in life comes without its disadvantages and it is important for you, as a developer, to know about them as well. So next time you are looking at a free service, think twice before you add it to your project.


The Noonification banner

Subscribe to get your daily round-up of top tech stories!