Web security is important to everyone and as one of the leaders in shaping the future of the web, Google is invested in ensuring security of users using OAuth logins – the simple transaction that lets you login to websites with your Facebook, Google etc. logins. To this end, they’ve announced that they will be shutting down support for OAuth logins using web-views.
Google’s Web-View has been superceded in most cases by Chrome Custom Tabs, and on iOS by the SFSafariViewController, and with these other options available, Google will be pushing requests from custom web-views to the device browser. To that end, Google advised:
In the coming months, we will no longer allow OAuth requests to Google in embedded browsers known as “web-views”, such as the WebView UI element on Android and UIWebView/WKWebView on iOS, and equivalents on Windows and OS X.
The possibility of having apps ‘inspect and modify content in a web-view’, but with the device browser it offers a better experience not only with UX, but in that users need only sign into OAuth once, whereas in a custom web-view, a user will have to sign in over and over again.
The phasing out of third-party OAuth App login support will begin in October this year, with Google advising that from the 20th of October they will begin preventing new OAuth clients from using web-views if there is a viable alternative available, with existing web-view clients getting a ‘user-facing notice’ i.e expect a toast notification to pop up. Next year, Google will phase out OAuth requests from web-views all together, advising from the 20th of April next year, they will start blocking web-view requests on any platform that has a viable alternative.
It’s definitely a bit more secure to be using the more up to date browser options, there will of course be some users using edge-case devices and systems affected, but in the long run your security is more important.
