Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging

Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.

This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.

A few things to note about what you're seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."

Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.

As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.

Top Rated Comments

WilliamG Avatar
81 months ago
I use 1Password, which has an in-app browser. Kind of ironic, really...
Score: 24 Votes (Like | Disagree)
HiRez Avatar
81 months ago
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
Score: 21 Votes (Like | Disagree)
Goldfrapp Avatar
81 months ago
InAppGate

BrowserGate

FMLgate
Score: 16 Votes (Like | Disagree)
EdgardasB Avatar
81 months ago

I'm sure he'll be crying into the billions Apple made this week.


Score: 10 Votes (Like | Disagree)
Apollo 13 Avatar
81 months ago
this would be a problem on any phone not just a ios device.
Score: 10 Votes (Like | Disagree)
HiRez Avatar
81 months ago

I'm sure he'll be crying into the billions Apple made this week.

Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
Score: 9 Votes (Like | Disagree)

Top Stories

apple top apps games 2020

Apple Shares Top 20 Most Downloaded Games and Apps of 2020

Tuesday December 1, 2020 9:38 pm PST by
Alongside picks for the top iPhone, iPad, and Mac apps and games of the year, Apple today shared charts featuring the Top Games of 2020 and the Top Apps of 2020, revealing the most popular free and paid apps and games during the year. Among Us! was the top free game of 2020, followed by Call of Duty: Mobile, Roblox, and Subway Surfers. Ink Inc. Tattoo Drawing was the number four free app,...
m1 chip macbook air pro

Developer Delves Into Reasons Why Apple's M1 Chip is So Fast

Monday November 30, 2020 1:57 pm PST by
Apple's M1 chip is the fastest chip that Apple has ever released in a Mac based on single-core CPU benchmark scores, and it beats out many high-end Intel Macs when it comes to multi-core performance. Developer Erik Engheim recently shared a deep dive into the M1 chip, exploring the reasons why Apple's new processor is so much faster than the Intel chips that it replaces. First and foremost,...
maxresdefault

Italy Fines Apple $12 Million for Misleading iPhone Water Resistance Claims

Monday November 30, 2020 3:10 am PST by
Apple has been slapped with a 10 million euro ($12 million) fine by Italy's antitrust watchdog for unfair commercial practices related to its iPhone marketing in the country. One of the Apple ads cited in the Italian watchdog's proceedings (credit: setteBIT) Specifically, Apple is being charged for misleading claims in promotional messages about how deep and how long iPhones can be submerged...
General cyber monday 20 sale feature

Apple Cyber Monday 2020: Discounts on iPads, Macs, AirPods, and More [Updated]

Monday November 30, 2020 6:25 am PST by
Today is Cyber Monday, a shopping event that sees many of the same deals from Black Friday bleed over into a new week, along with a few brand new offers on everything from Apple products to related accessories. In this post we'll highlight the best online discounts that you can find on Apple devices today. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
16 inch MBP Mini Led

Mini-LED M1 MacBook Pro and Mini-LED iPad Pro Models Coming First Half of 2021

Monday November 30, 2020 2:24 am PST by
Apple is widely reported to be embracing mini-LED display backlighting technology for some products next year, and a new report today by DigiTimes has named several of Apple's partners in the supply chain that are expected to benefit from the switch. According to the report, Apple is set to launch its first mini-LED iPad Pro in the first quarter of 2021 and mass produce mini-LED MacBook Pro...
iphone8guide b

iOS 14.2 Quietly Added FaceTime 1080p Support to iPhone 8 and Later Models

Wednesday December 2, 2020 3:21 am PST by
Back in early November, Apple released iOS 14.2 and announced with it a slew of new features for iPhones, but one thing it didn't mention was the apparent addition of support for 1080p FaceTime calls on iPhone 8 and later devices. The little-known fact was discovered by MacMagazine, which found that Apple quietly updated the specs pages for devices like iPhone XR shortly after the release of ...
Mac Mini 2018

Apple Developers Now Able to Natively Run macOS Within AWS With Amazon EC2 Mac Instances

Monday November 30, 2020 9:01 pm PST by
As AWS re:Invent kicks off, Amazon Web Services today announced new Mac instances for Amazon Elastic Compute Cloud, allowing AWS customers to run on-demand macOS workloads in the AWS cloud for the first time. Amazon says that the new feature extends the flexibility, scalability, and cost benefits of AWS to all Apple developers as those creating apps for iPhone, iPad, Mac, Apple Watch, Apple...
best apps of 2020

Wakeout! Named Apple's Best App of 2020, While Zoom Earns the Title for Best iPad App

Tuesday December 1, 2020 9:26 pm PST by
Apple today shared its App Store Best of 2020 winners, highlighting its picks for the top iOS, iPadOS, and macOS apps and games released over the course of the year. Apple's iPhone App of the Year award went to Wakeout!, which is a family friendly exercise and movement app that encourages people to complete easy exercises while at home. Apple's iPad App of the Year was Zoom, which soared in...
magsafe duo charger

MagSafe Duo Charger for iPhone 12 and Apple Watch Now Available for Purchase

Tuesday December 1, 2020 4:15 pm PST by
Apple today began selling the MagSafe Duo Charger that was announced alongside the new iPhone 12 models back in October. Priced at $129, the MagSafe Duo offers a MagSafe charging puck for the iPhone 12, 12 Pro, 12 Pro Max, and 12 mini, along with an Apple Watch charger. Though the accessory was announced in October and was listed as coming soon, it was not clear when it would launch. Orders...
imac 5k 2014 video

Apple Adds First iMac Models With Retina 5K Display to Vintage Products List

Tuesday December 1, 2020 8:09 am PST by
The first iMac with a Retina 5K display is one of several iMac models that have been added to Apple's vintage products list this week. In the past, vintage Apple products were no longer eligible for repairs at the Genius Bar or at Apple Authorized Service Providers, but Apple began offering extended repairs of select vintage products in 2018. Many of the iMac models listed below will likely...