I received an email from google We're writing to let you know that we detected the use of an embedded webview in requests to Google's OAuth 2.0 authorization endpoint in the past 120 days associated with one or more of your OAuth client IDs listed in this email.
Our site is only a web application (smodin.io)
We've been using google auth for many months, beyond the 120 day period; according to this post from google we should have been notified months ago (we also have a dev environment that hasn't received the same email).
I've received emails in the past from spam security bounties about avoiding iframe hijacking for login and I'm not sure if it's related. I had been advised it wasn't actually a concern.
How might I find out where this embedded webview is coming from? (and any related security concern it could be coming from)
Our setup: Firebase auth (google and email/PW login) and next JS (reactjs).
PS: This is ~identicial to Google OAuth 2.0 client ID authorization via embedded webview but no sufficient answer was received because it was originally asked in a poor way I think.
You can use Google Analytics to get some clues. You can filter by the Browser called "Android Webview".
In my case I found out that it was mainly social traffic coming from third party apps, like Facebook and LinkedIn. I'm still trying to find a solution because obviously I have no control of those apps.