We have been monitoring an uptick in phishing attempts on Android embedded browsers (also known as webviews), so beginning in August, we will no longer support FB Login authentication on Android embedded browsers. Prior to this date, we will continue to prevent access to Facebook Login on embedded browsers for certain users we deem high-risk in an effort to prevent malicious activity.
If your app currently surfaces Facebook Login on an embedded browser on Android, you should ensure you are using the SDK, have updated to version 8.2+, and remove any overrides in Login Behavior during login (i.e., using LoginBehavior.WEB_VIEW_ONLY). If your app is using version 8.2+ of the SDK, we utilize several methods to authenticate the user through other methods -- including options like sending a push notification to verify the user’s identity (a.k.a. “Passwordless flow”) or asking the user to complete the login in the Chrome browser (Chrome Custom Tabs) or Facebook Android app (a.k.a. Android App Switch). In addition to being a more secure option, these alternative authentication methods also improve the user experience and increase conversion rates, as the user will no longer need to manually enter their password to log in.
Despite this approach, there may be some cases where we’re unable to authenticate users through alternative methods, in which case the user will be blocked from logging in on an Android webview. In this case, we recommend users use another device to log in.
We appreciate your partnership as we continue to invest in platform security.