Prevent network requests from Facebook Android SDK

Question

The Android Facebook SDK is always making a network request to graph.facebook.com when calling FacebookSdk.sdkInitialize(context) even if nothing of the SDK has been used yet.

So if we're initializing it in the Application.onCreate() there will always be at least one network request. Even if the setting is as follows:

 <meta-data
    android:name="com.facebook.sdk.AutoLogAppEventsEnabled"
    android:value="false" />

We've took a closer look at this because a user complained that he is not using the Facebook Login (which is why we have the Facebook SDK in the first place) and still there is "user data" transferred to Facebook. In times of GDPR and suspicious users, this is a very unfavourable behaviour!

What we're doing now is calling FacebookSdk.sdkInitialize(context) only when the user wants to use the Facebook Login (at the time when the user clicks on the button). Additionally, we removed the meta-data for android:name="com.facebook.sdk.ApplicationId" from the AndroidManifest. This prevents the initial network request but then there is the following crash appearing in the CurrentAccessTokenExpirationBroadcastReceiver:

java.lang.RuntimeException: Unable to start receiver com.facebook.CurrentAccessTokenExpirationBroadcastReceiver: The SDK has not been initialized, make sure to call FacebookSdk.sdkInitialize() first.
at com.facebook.internal.Validate.sdkInitialized(Validate.java:143)
    at com.facebook.FacebookSdk.getApplicationContext(FacebookSdk.java:518)
    at com.facebook.AccessTokenManager.getInstance(AccessTokenManager.java:86)
    at com.facebook.CurrentAccessTokenExpirationBroadcastReceiver.onReceive(CurrentAccessTokenExpirationBroadcastReceiver.java:34)

Now there are several questions:

1. Why is Facebook still making a request at start? If they want to validate the auth token, they can do it as soon as the SDK is really used...

2. Does Facebook know and tolerate crashes when sdkInitialize() is not called? Because I fear when this NullPointerException is removed there will be other crashes...

3. Most important: Are there any other ways to prevent network requests from the Facebook SDK when its features are not used?

Answer 1

I have noticed that the Facebook SDK (at least in version 4.33) adds a provider (com.facebook.internal.FacebookInitProvider) in the manifest of your app, which automatically calls FacebookSdk.sdkInitialize with the application context.

Even if you have added:

<meta-data android:name="com.facebook.sdk.AutoLogAppEventsEnabled" android:value="false" />

in your manifest, at least 2 requests will be made to Facebook:

• a graph request to get app settings
• an Events request "fb_sdk_initialize" which logs all the Facebook frameworks that are included into your app

So to prevent these requests (that we don't want as long as the user didn't allow them (GDPR)), I think you did everything we need to do:

• Do not add <meta-data android:name="com.facebook.sdk.ApplicationId" android:value="@string/facebook_app_id"/> in the manifest
• Add <meta-data android:name="com.facebook.sdk.AutoLogAppEventsEnabled" android:value="false"/> in the manifest
• Only initialize Facebook SDK when you need it.

Like this for example:

FacebookSdk.setApplicationId(<context>.getString(R.string.facebook_app_id));
FacebookSdk.sdkInitialize(<context>);
AppEventsLogger logger = AppEventsLogger.newLogger(<context>); // I don't use FB Login for my project but app events.

---

But regarding your crash, I don't know why it happens since it seems that the broadcast "com.facebook.sdk.ACTION_CURRENT_ACCESS_TOKEN_CHANGED" is sent locally.

Nevertheless, I think you can prevent it by adding this to your manifest:

<provider
    android:name="com.facebook.internal.FacebookInitProvider"
    tools:node="remove" />
<receiver
android:name="com.facebook.CurrentAccessTokenExpirationBroadcastReceiver"
    tools:node="remove" />

However, doing this may have bad consequences with the use of Facebook SDK and I think you will have to provide (and register in your manifest) your own BroadcastReceiver:

public class CustomCurrentAccessTokenExpirationBroadcastReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
        if (AccessTokenManager.ACTION_CURRENT_ACCESS_TOKEN_CHANGED.equals(intent.getAction())) {
            new CurrentAccessTokenExpirationBroadcastReceiver().onReceive(context, intent); // Call it only if you have initialized the Facebook SDK!
        }
    }
}