Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging

Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.

This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.

A few things to note about what you're seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."

Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.

As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.

Top Rated Comments

WilliamG Avatar
120 months ago
I use 1Password, which has an in-app browser. Kind of ironic, really...
Score: 24 Votes (Like | Disagree)
HiRez Avatar
120 months ago
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
Score: 21 Votes (Like | Disagree)
sniffies Avatar
120 months ago
InAppGate

BrowserGate

FMLgate
Score: 16 Votes (Like | Disagree)
EdgardasB Avatar
120 months ago
I'm sure he'll be crying into the billions Apple made this week.

Score: 10 Votes (Like | Disagree)
Apollo 13 Avatar
120 months ago
this would be a problem on any phone not just a ios device.
Score: 10 Votes (Like | Disagree)
HiRez Avatar
120 months ago
I'm sure he'll be crying into the billions Apple made this week.
Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
Score: 9 Votes (Like | Disagree)

Popular Stories

iOS 17

26 New Things Your iPhone Can Do With Next Month's iOS 17.2 Update

Wednesday November 22, 2023 10:57 pm PST by
Apple made the first beta of iOS 17.2 available to developers in October. Since then we've seen two more betas, and with each iteration Apple continues to add more new features and changes, many of which users have been anticipating for quite a while. Below, we've listed 26 new things that are coming to your iPhone when the finalized version is publicly released in December. 1. Help You...
Apple Watch Series 9

5 Reasons to Wait for Next Year's Apple Watch

Friday November 24, 2023 3:46 am PST by
With all the discounted deals on Apple tech currently available, you might be thinking about upgrading your Apple Watch or buying one for the first time. But if your current smartwatch is doing its job just fine and it's only the idea of a good deal that's piqued your interest, it could be worth holding out until next year when Apple unveils its latest and greatest version. There are already ...
General Black Friday Deals 2022 Green

40+ Apple Black Friday Deals Still Available for AirPods, iPhone, iPad and More

Friday November 24, 2023 5:01 am PST by
Black Friday 2023 has officially ended, but we're still tracking some of the best deals of the year on Apple products like AirPods, iPad, iPhone, MacBook, and many more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Specifically, in this article we're...
Cyber Monday Deals Feature 2022

40+ Apple Cyber Week Deals for AirPods, iPad, Apple Watch, and More

Sunday November 26, 2023 9:47 am PST by
Cyber Week has taken the place of Black Friday, and you'll find some of the same deals still around for the next few days, although many from Black Friday have now expired. This includes dozens of record low prices on Apple products like AirPods, iPad, Apple Watch, MacBook, iPhone, and more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a...
ipad mini 2021 youtube

What to Expect From the iPad Mini 7 Later in 2024

Friday November 24, 2023 1:00 pm PST by
Over 800 days have passed since Apple last updated the iPad mini, as outlined in the MacRumors Buyer's Guide. Fortunately, a new iPad mini is rumored to be released next year, and we have outlined what to expect from the device below. Apple released the current iPad mini in September 2021, with new features at the time including a larger 8.3-inch display, a USB-C port, a Touch ID power...