Using Secure Web Views
Why use a secure Web View
When using the PKCE flow (or any flow into which the user enters sensitive information), it is important to use the secure web views provided by the operating systems.
On iOS, in line with Apple's guidance we use their Authentication Services Framework. On Android, we use Custom Tabs where available or fallback to the device's browser. We never use embedded web views for authentication on either platform.
The Pugpig Apps have been using these sanctioned non-embedded web views for many years.
Google Developer Warnings
Some of our clients (in particular those using a PKCE flow including Google Sign In, for example Piano) have been receiving emails like this:
However, according to Google's announcement, the warnings have been visible since August 2021. Unless you see a warning, you can ignore these emails for your Pugpig apps. Pugpig apps have been using the secure web views sanctioned by the same announcement on both platforms for as long as they have existed, see above.
However, please get in touch if you ever see a message like this in your app: