Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging

Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.

This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.

A few things to note about what you're seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."

Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.

As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.

Top Rated Comments

WilliamG Avatar
87 months ago
I use 1Password, which has an in-app browser. Kind of ironic, really...
Score: 24 Votes (Like | Disagree)
HiRez Avatar
87 months ago
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
Score: 21 Votes (Like | Disagree)
Goldfrapp Avatar
87 months ago
InAppGate

BrowserGate

FMLgate
Score: 16 Votes (Like | Disagree)
EdgardasB Avatar
87 months ago
I'm sure he'll be crying into the billions Apple made this week.

Score: 10 Votes (Like | Disagree)
Apollo 13 Avatar
87 months ago
this would be a problem on any phone not just a ios device.
Score: 10 Votes (Like | Disagree)
HiRez Avatar
87 months ago
I'm sure he'll be crying into the billions Apple made this week.
Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
Score: 9 Votes (Like | Disagree)

Top Stories

tracking disabled ios 14 5

Analytics Suggest 96% of Users Leave App Tracking Disabled in iOS 14.5

Friday May 7, 2021 1:51 am PDT by
An early look at an ongoing analysis of Apple's App Tracking Transparency suggests that the vast majority of iPhone users are leaving app tracking disabled since the feature went live on April 26 with the release of iOS 14.5. According to the latest data from analytics firm Flurry, just 4% of iPhone users in the U.S. have actively chosen to opt into app tracking after updating their device...
macbook colors 3d black bezels

Prosser: Next MacBook Air Could Come in Colors Similar to iMac

Friday May 7, 2021 6:55 am PDT by
According to Apple leaker Jon Prosser, Apple's upcoming release of the MacBook Air will feature various colors, similar to the colors in the newly released 24-inch iMac. In the latest video of his YouTube channel Front Page Tech, Prosser says the same source who accurately provided him information on the first Apple silicon iMac coming in colors has told him that he recently saw a prototype...
tile amazon sidewalk integration

Tile to Leverage Amazon Echo and Ring Devices to Better Compete With AirTags

Friday May 7, 2021 2:07 pm PDT by
Amazon today announced that it is teaming up with Tile to add Amazon Sidewalk integration to Tile's Bluetooth trackers. Amazon Sidewalk, for those unfamiliar, is a network of Amazon Bluetooth devices that's designed to improve the connectivity of devices like the Ring and Amazon Echo. Tile will now be joining Amazon Sidewalk, and through this integration, Amazon Echo and Ring devices will be ...
Top Stories 59 Feature

Top Stories: Epic Games vs. Apple, Hidden AirTag Mode, Apple Music Hi-Fi, Colorful MacBook Air?

Saturday May 8, 2021 6:00 am PDT by
While we wait for the newly introduced iMac, iPad Pro, and Apple TV models to launch later this month, this week saw the kickoff of the big Epic Games v. Apple trial, with lots of juicy tidbits coming out as the two sides make their arguments. This week also saw some rumors about a Hi-Fi tier for Apple Music, more biometric sensing capabilities for Apple Watch, and timing for the...
zoom app icon

Apple Gave Zoom Access to Special API to Use iPad Camera During Split View Multitasking

Sunday May 9, 2021 2:00 am PDT by
Zoom, a hallmark platform used by millions during the global health crisis, has been given access to a special iPadOS API that allows the app to use the iPad camera while the app is in use in Split View multitasking mode. This case of special treatment was first brought to attention by app developer Jeremy Provost, who, in a blog post, explains that Zoom uses a special API that allows the...
snapchat dark mode

Snapchat Rolls Out Dark Mode on iOS

Wednesday May 5, 2021 1:17 am PDT by
Nearly two years following the release of iOS and iPadOS 13, which included native, built-in, and systemwide dark mode, Snapchat, one of the world's most prominent social media networks, has finally rolled out a dark mode theme for iOS users. Snapchat began testing a dark mode theme of its app design late last year with a small group of iOS users. Now, Snapchat says that as of this week, it...
tile sticker e1570533758981

Tile CEO: 'We Welcome Competition From Apple, But We Think It Needs to Be Fair'

Tuesday May 4, 2021 9:51 am PDT by
Just after Apple announced its AirTags, Tile CEO CJ Prober relayed his concerns about competing with Apple in the tracking space, and said that Tile would ask Congress to investigate Apple's business practices specific to Find My and item trackers. Prober this week did an interview with Bloomberg, where he further expanded on Tile's complaints about Apple and why he feels that Tile is...
fortnite apple logo 2

Epic CEO Tim Sweeney Admits App Store's 30% Cut Is Similar to Consoles, Would Have Accepted Special Deal With Apple

Tuesday May 4, 2021 1:54 pm PDT by
Apple's legal battle with Epic Games is continuing on, and during the second day of the trial, Epic Games' CEO Tim Sweeney continued his testimony against Apple. Sweeney was grilled by Apple's lawyers, and made several points seemingly favorable to Apple. In addition to mentioning how he prefers Apple's iPhone and values Apple's privacy policies that he's aiming to dismantle, Sweeney...
signal instagram ads3

Signal Shares the Instagram Ads Facebook Doesn't Want You to See

Wednesday May 5, 2021 1:29 am PDT by
Encrypted messaging app Signal has had a series of Instagram ads blocked from the social media platform, after it attempted to show users how much data the Facebook-owned company collects about them and how it's used to push targeted ads. In a blog post, Signal described how it generated the ads to show users why they were seeing them, simply by declaring upfront the information that the...
iphone 12 preorder purple

Apple Begins Transition to Randomized Serial Numbers With Purple iPhone 12

Wednesday May 5, 2021 9:17 am PDT by
MacRumors previously reported about Apple's plan to switch to randomized serial numbers for future products starting in early 2021, and this transition has now started with the new purple iPhone 12 model in multiple countries. With assistance from Aaron Zollo, host of the YouTube channel ZolloTech, we can confirm that the purple iPhone 12 released last month has a new 10-character serial...