Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,042
13,657



Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.

This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.

A few things to note about what you're seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."

Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.

As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.

Article Link: Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging
 

HiRez

macrumors 603
Jan 6, 2004
5,990
1,993
Western US
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
 
Comment

hansonjohn590

macrumors 6502
Sep 14, 2013
353
4
Thanks for stating the obvious, Craig.

Thats why you only download browsers from reputable companies.
 
Comment

NMBob

macrumors 65816
Sep 18, 2007
1,375
1,315
New Mexico
Can't be true. Timmy keeps saying they are focused on protecting your privacy. 8.0.1 is certainly doing it's part.
 
Comment

kerrikins

macrumors 65816
Sep 22, 2012
1,204
436
as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit

Doesn't that mean this has been around for a long time already, then? Is it really an issue?
 
Comment

EdgardasB

macrumors 6502a
Apr 14, 2014
618
80
Lithuania
I'm sure he'll be crying into the billions Apple made this week.

giphy.gif
 
Comment

HiRez

macrumors 603
Jan 6, 2004
5,990
1,993
Western US
I'm sure he'll be crying into the billions Apple made this week.

Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
 
Comment

redscull

macrumors 6502a
Jul 1, 2010
787
744
Texas
This has been the case since like forever. And you pretty much have to assume some level of ill-intent with literally every app that has an in-app browser, right? Why would they even go through the trouble versus simply launching you into Safari unless they wanted to at least track your interests, if not out-right steal your data?

The only time an in-app browser should exist is if all browsing in it is limited to the app-owner's own web content. Edit: Or, obviously, it is itself a browser app, like Chrome.
 
Last edited:
Comment

kerrikins

macrumors 65816
Sep 22, 2012
1,204
436
It's just getting worse and worse.

Not really, from what I can tell it'll impact any in-app logins and not necessarily just iOS, either. I mean, fair enough warning people about it, but bad timing since people are already paranoid.
 
Comment

starnox

macrumors 6502
Apr 15, 2005
363
67
This has been the case since like forever. And you pretty much have to assume some level of ill-intent with literally every app that has an in-app browser, right? Why would they even go through the trouble versus simply launching you into Safari unless they wanted to at least track your interests, if not out-right steal your data?

The only time an in-app browser should exist is if all browsing in it is limited to the app-owner's own web content.

As a developer because we care about the end user experience and it's nicer than bouncing between apps all the time.

I don't see any issue, why would you even download an app from a developer/company you didn't trust.
 
Comment

Sean4000

Suspended
Aug 11, 2010
95
27
Then please allow ad block plus for iOS so I won't have to use virtual browsers for that extension alone.
 
Last edited:
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.