Here’s the kicker: the warnings are based on the user-agent, as Google quietly admits in the fine print. This means they know the issue is with Samsung, Xiaomi, and custom Android ROMs' in-app browsers not adhering to their ‘secure browsing’ standards. But instead of addressing it, they’re happy to pass the buck and blame the one person who has zero control over the situation: the developer.
I’m already in a high-risk industry, so this has likely caused substantial, unknowable losses—and it could even be argued that it’s defamatory. These warnings unfairly place blame on me, tanking user trust and damaging reputations, even though Google knows it’s not my fault.
By explicitly suggesting that our apps are unsafe, Google is punishing developers for their inability to control Android’s ecosystem fragmentation while forcing users to trust the false narrative that “it’s the app’s fault.”
If any starving lawyers want to start a class action, consider me your first lead.
Base64 + ROT13: em5leC53bnBib2ZyYTc2QGNlYmdiYS56cg==
https://stackoverflow.com/questions/40591090/403-error-thats...
The fact that you can "fix" it by forging your user-agent demonstrates that its a useless policy change, and does nothing to protect users, while needlessly casting doubts on apps who comply with policies.
What API or web page is returning this?
Google's policy[0] is that apps should be requesting OAuth authorization using the system browser, not an embedded webview. It's a sensible policy. We don't want to teach users to write the credentials for their Google accounts into random apps.
Going via the system browser is likely to be better user experience anyway, since anyone using a "sign in via Google" option is likely already logged into Google on their system browser, while they obviously won't be on a webview.
[0] https://developers.googleblog.com/en/upcoming-security-chang...
Not clear that Google OAuth is worthy of trust for anything outside Google, though.