"Hey Siri" support and possibly wireless charging case alongside AirPower charging mat.
Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging
Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.
This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.
Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.
As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.
This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.
A few things to note about what you're seeing:Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."
The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.
As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.
[ 87 comments ]
Top Rated Comments
(View all)
55 months ago
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
55 months ago
I'm sure he'll be crying into the billions Apple made this week.
Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
55 months ago
I use 1Password, which has an in-app browser. Kind of ironic, really...
Keep in mind the very core of this.
but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."
We do not grab any information from the web browser at this time. Though in the future we may try to implement similar features as our desktop version allowing something like AutoSave functionality. At that point we would be getting the data in the webpage so as to save the data for you.
If we were to ever use features like Craig mentions it would only be for good.
Curious about this as well. I use 1Password for password storage only. I have never used the in-app browser. Never liked that.
As mentioned above, we do not gather any data about the pages you're visiting. That would be a breach of trust.
What we could do is use this or similar technology as our desktop browser extension to help save new usernames/passwords but if we did that it would be something you could turn on or off at your discretion.
How can anyone trust Agile to store the passwords but not the in-app browser? If Agile wants your passwords, it certainly doesn't have to grab them via the browser.
:)
I like the way you think. But, given what I've mentioned above, we don't currently do any gathering of data from the built in web browser. If we did it would only be to allow AutoSave type of functionality and would be an optional feature.
All we've ever wanted to do was help people be secure and we wouldn't breach the trust that our users have for us.
55 months ago
This has been the case since like forever. And you pretty much have to assume some level of ill-intent with literally every app that has an in-app browser, right? Why would they even go through the trouble versus simply launching you into Safari unless they wanted to at least track your interests, if not out-right steal your data?
The only time an in-app browser should exist is if all browsing in it is limited to the app-owner's own web content.
As a developer because we care about the end user experience and it's nicer than bouncing between apps all the time.
I don't see any issue, why would you even download an app from a developer/company you didn't trust.
55 months ago
Curious about this as well. I use 1Password for password storage only. I have never used the in-app browser. Never liked that.
How can anyone trust Agile to store the passwords but not the in-app browser? If Agile wants your passwords, it certainly doesn't have to grab them via the browser.
55 months ago
It's quite simple. Use a browser made by Google for sensitive data. Don't use one made by John Nobody for that kind of stuff.
Kinda sad you had to ask actually.
Kind of sad that you think sensitive data should be trusted with Google. ;)
[ Read All Comments ]
The Catalyst Waterproof AirPods Case, designed to protect your AirPods case from liquids, is now available from the Apple online store and Apple retail locations.
Priced at $29.95, the...
Following the release of iOS 12.1.1 on December 5 and iOS 12.1.2 on December 17, Apple has stopped signing iOS 12.1, the previous version of iOS that was available to consumers.
iPhone, iPad,...
Christmas is now one week away, and shipping estimates will only become more of an issue for shoppers the closer the holiday gets. That's when e-mail delivery App Store and iTunes Gift Cards come...
Launch Center Pro, an app that offers quick access shortcuts for everyday tasks, today released a major update that adds quite a bit of new functionality.
Version 3.0 of the app introduces NFC...
As of today, Twitter is introducing a new option that will allow iOS users to easily view their tweets in a chronological order, a feature Twitter users have wanted for quite some time.
The...
Satechi today announced a new stand for the iMac, called the Type-C Aluminum Monitor Stand Hub. The accessory features seven built-in ports and an ergonomic design that the company says is aimed at...
Popular iPhone photo editing app Darkroom is today expanding to the iPad, marking the app's biggest update since its 2015 launch.
Darkroom has been rebuilt from the ground up to add support...
With the latest Apple Pay promotion you can save $20 on a future purchase from Nike, if you spend $100 or more in the Nike iOS app and pay for your order using Apple Pay.
The offer...
