This article is more than 1 year old

Don't mind Facebook, just putting its own browser in its Android app

Totally not for data collection

Analysis Meta's Facebook has been testing its own custom-browser engine within its Android app and plans to distribute the code more widely, ostensibly for the sake of better security and an improved user experience.

Facebook on Android by default chooses to have users open web links inside the app rather than in the mobile browser designated as the default in Android system preferences. It does so, like many other popular Android apps, by using the Android System WebView, a component provided by Google that loads web pages within the app.

This has some benefit to the user in terms of resource efficiency but comes at the cost of users' browser choice, saved passwords, retained login state, and browser settings related to privacy, accessibility, and extensions.

WebViews also have some benefit to Facebook in terms of improved engagement metrics – taking people out of the app to a stand-alone web browser means they might not come back immediately. It also means improved visibility into user activity – WebViews expose more user data and activity than stand-alone browsers.

An industry source described WebView browsers to The Register as "tracker-blocker-blockers," while noting the salient issue is what this does to user choice.

Facebook parent Meta, coincidentally, was sued last month for allegedly failing to adequately disclose the consequences of WebView-based browsing – a charge the company disputes.

Facebook considers the iOS WebView – from Safari's WebKit engine – less than ideal because as a system component as it only gets updated with iOS updates. On Android, things work differently. The Android System WebView and Chrome can be updated via Google Play.

Even so, according to Facebook software engineer manager ​​Nate Schloss, Android users often don't bother updating their Chrome app or apps incorporating WebViews, which can harm security and lead to a worse user experience.

Blurred lines

"To help solve these issues – and following the precedent of browser vendors such as Microsoft Edge, Samsung Internet, and Mozilla Firefox who all ship custom browser engines on Android – we have been building and testing a separate Chromium-Based WebView for a few years," said Schloss in a blog post on Friday, blurring the distinction between companies that ship stand-alone browsers on Android and Facebook, which ships an embeddable browser component.

According to Schloss, Facebook's Chromium-based WebView will replace the Android System WebView (also based on Chromium, but controlled by Google) for Facebook on Android's in-app browser.

"This WebView can update in sync with Facebook app updates, and function as a drop-in replacement for the System WebView inside the Facebook app without compromising or changing the user experience in any way," explains Schloss.

The Register asked Meta whether people can use their preferred browser to open links displayed in the Facebook app.

A spokesperson said, "If they choose, people can use the menu inside our in-app browser to select the option to open links inside the system browser. Additionally, people who do not wish to use all the features of our technologies (including the in-app browser) are able to access Facebook and Instagram through the web instead of our apps."

However, there's no easy way to set the Facebook app to open all links in the user-selected default Android browser. Links must first be opened in the Facebook app and then the user needs to tap the ••• More Options menu to load the page a second time in the user's stand-alone browser – not exactly a seamless user experience. Meta's spokesperson observed that this is more than some rival apps allow – TikTok does not support opening links in an external browser, for example.

[A reader writes in to say that Facebook does allow users to open a link first in an external browser, it's just a fairly hidden option. We're told you need to open the menu then navigate to Settings and Privacy -> Settings -> Profile -> Profile settings for your account -> Media and contacts -> "Links open externally". That should work albeit until Facebook undoes the option after a while. – ed.]

Facebook could have used a different technology to implement its WebView replacement, Chrome Custom Tabs (CCTs). Introduced in 2015, Google recommends WebViews for hosting your own content within an app and CCTs for external content.

"If your app directs people to URLs outside your domain, we recommend that you use Custom Tabs," the company's documentation suggests, because CCTs offer "support for the same web platform features and capabilities as the browsers," and assorted other benefits like Google's Safe Browsing system.

We can handle it

Meta's spokesperson, however, told The Register that CCTs would not work for the Facebook app on Android: "Our in-app browser offers capabilities and security protections for users that we cannot build with Chrome Custom Tabs, For example, we are able to allow users to report malicious webpages to us and we can more easily detect attacks from bad actors, like when a scammer tries to redirect users to a malicious site."

Meta, evidently, would rather handle web attacks on its own than provide data to Google's Safe Browsing Service. And its concern for security appears to be limited to the mobile environment – Facebook has shown no sign of trying to alter how desktop users experience the social network. What's more, WebViews have had their own security problems [PDF] in the past.

In-app browsers (WebViews and the like) have been the subject of some debate in recent years, most notably by Alex Russell, currently with Microsoft and formerly with Google, and Felix Krause, founder of fastlane.tools. These "Franken-browsers" continue to exist because Apple and Google support them in their respective mobile operating systems.

Part of the reason for that may have something to do with representing to regulators that there's competition, in order to fend off antitrust litigation.

In fact, in its comments [PDF] to the UK Competition & Markets Authority, Google specifically cites native apps, "which allow users to view web content on in-app browsers, which have significant traffic," as proof that the company has competition.

Google acknowledges that CMA's Interim Report "raises concerns about in-app browsers overriding users’ chosen default browsers." However, the company supports the CMA's observation that "the decision on whether a native app launches an in-app browser, and if so, which browser, lies with the respective app developer, not Google."

The Facebook app has made that choice, though it allows users to choose for themselves on the second page load. ®

More about

TIP US OFF

Send us news


Other stories you might like