[youtube=https://www.youtube.com/watch?v=2Bl-pJBHYuc]
App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?”
Many apps send users to an in-app browser to do things like authenticate logins for associated services. Think logging into an app using your Facebook or Twitter credentials as highlighted in the proof of concept video above. You might assume that would be as safe as doing so through Safari, but Hockenberry notes that, unlike Safari, it’s relatively easy for someone to exploit the feature to capture username and password data:
The report adds that the technique was tested on iOS 7 and iOS 8. Hockenberry says that is the reason his company’s app Twitterrific “did its token exchange in Safari, even though it’s a more complex user interaction and a more difficult technical implementation.” That, however, isn’t something required by Apple’s app review procedures and users might feel an in-app browser view is as secure as Safari.
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site… The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
The article doesn’t provide any clear recommendations for Apple to remedy the issue and notes “Apple would need to release a new version of iOS for each version that included Safari and WebKit” to fix core issue in WebKit and UIWebView. “No, this is not a WebKit bug… The problem is that an iOS app has as much access to these technologies as the developer of the web page.”
Unfortunately, Apple’s current App Review policy does not agree with this recommendation or with Twittterrific’s previous implementation. This is why our update for iOS 8 was delayed—it was the first time since the launch of the App Store that we haven’t had a new version on release day.
For now, Hockenberry suggests users avoid typing sensitive username or password information in an in-app browser view.