The Problem of Third-Party SDK Creep ⇥ rambo.codes
Brian Barrett, Wired:
According to widespread reports and the web monitoring service Down Detector, prominent iOS apps like TikTok, Spotify, Pinterest, Venmo, and more experienced issues on Wednesday. Many users found that they crashed whenever they tried to open the apps, whether or not they used Facebook to log in. “Please move slower and break fewer things,” wrote one GitHub commenter. “Thank you.”
“Yesterday, a new release of Facebook included a change that triggered crashes in some apps using the Facebook iOS SDK for some users. We identified the issue quickly and resolved it,” Facebook said in a statement.
That change was quite small, given its outsized impact. “It was something like a server value — which was supposed to provide a dictionary of things — was changed to providing a simple YES/NO instead, without warning,” says iOS developer Steven Troughton-Smith. “A change that simple can break an app that isn’t prepared for it.”
This isn’t even close the first time something like this has happened. A few years ago, a developer pulled their code from the NPM package manager; a small utility of theirs was widely used and other developers’ dependence on it broke lots of popular software. This isn’t even the first time this has happened with Facebook’s SDK.
Many people rush to blame engineers for these types of problems. “Of course it’s the engineers’ fault: they included the SDK after all, didn’t they?”.
Even though it was technically an engineer who programmed the SDK into their company’s app, those types of decisions are usually top-down. Someone over at marketing decides they want better analytics on their Facebook campaigns, they talk to the product people and the product people just order that from the engineers.
I’m sure there’s a Facebook engineer who was furious with themselves for shipping something that broke a bunch of big apps, but this incident shows how dependent many ostensibly independent apps are on the infrastructure of a few giants. It’s kind of like when a bunch of websites go down because someone kicked the plug out at an Amazon Web Services server farm. It is a reminder that an extraordinary amount of responsibility for modern life is held by very few.