5 comments

[ 3.3 ms ] story [ 22.0 ms ] thread
As a developer, I’ve spent years building and maintaining my app to meet Google’s policies and user expectations. Recently, I discovered today that users logging in with Google see very scary warnings when opening links through in-app browsers in my app.

Here’s the kicker: the warnings are based on the user-agent, as Google quietly admits in the fine print. This means they know the issue is with Samsung, Xiaomi, and custom Android ROMs' in-app browsers not adhering to their ‘secure browsing’ standards. But instead of addressing it, they’re happy to pass the buck and blame the one person who has zero control over the situation: the developer.

I’m already in a high-risk industry, so this has likely caused substantial, unknowable losses—and it could even be argued that it’s defamatory. These warnings unfairly place blame on me, tanking user trust and damaging reputations, even though Google knows it’s not my fault.

By explicitly suggesting that our apps are unsafe, Google is punishing developers for their inability to control Android’s ecosystem fragmentation while forcing users to trust the false narrative that “it’s the app’s fault.”

If any starving lawyers want to start a class action, consider me your first lead.

Base64 + ROT13: em5leC53bnBib2ZyYTc2QGNlYmdiYS56cg==

"Disallowed Useragent"?

What API or web page is returning this?

Looks like the Google OAuth authorization flow.

Google's policy[0] is that apps should be requesting OAuth authorization using the system browser, not an embedded webview. It's a sensible policy. We don't want to teach users to write the credentials for their Google accounts into random apps.

Going via the system browser is likely to be better user experience anyway, since anyone using a "sign in via Google" option is likely already logged into Google on their system browser, while they obviously won't be on a webview.

[0] https://developers.googleblog.com/en/upcoming-security-chang...

Ah. That makes more sense.

Not clear that Google OAuth is worthy of trust for anything outside Google, though.