Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging
- Thread starter MacRumors
- Start date
- Sort by reaction score
Ah, something for developers to contemplate while designing and cutting out the fabric for their super-hero unitards.
That… wouldn't help at all; this is an exploit that must be made by the developers of apps, not web developers. Having less ads wouldn't prevent developers from stealing information.
Lets be honest.. most people will never hear about any of that stuff. At all. The iPhone preorder thing is the biggest one, and that'll only make people rush to order faster next year.
Curious about this as well. I use 1Password for password storage only. I have never used the in-app browser. Never liked that.
nothing to see here ....
I assume every mobile browser in every mobile OS does the same thing, this is not peculiar to iOS only. I've created Windows Phone apps before and you can inspect the DOM of the browser plugin and you must be able to inject code into page that read key presses.
HOWEVER...
That's the reason why every app is vetted by Apple and has a review process and can be killed remotely. They have your bank details and other types of information on you when you create an app so tracing someone doing something malicious should be pretty straightforward.
So everyone who complained about the "walled garden" can now understand one of the major reasons its there. Windows OS in the 90's used to be a wild west of viruses and piracy simply because there was no way to police the thing. Thats what eventually pissed everyone off about Windows. We kind of need the policing out here cos people just abuse everything at the end of the day.
I assume every mobile browser in every mobile OS does the same thing, this is not peculiar to iOS only. I've created Windows Phone apps before and you can inspect the DOM of the browser plugin and you must be able to inject code into page that read key presses.
HOWEVER...
That's the reason why every app is vetted by Apple and has a review process and can be killed remotely. They have your bank details and other types of information on you when you create an app so tracing someone doing something malicious should be pretty straightforward.
So everyone who complained about the "walled garden" can now understand one of the major reasons its there. Windows OS in the 90's used to be a wild west of viruses and piracy simply because there was no way to police the thing. Thats what eventually pissed everyone off about Windows. We kind of need the policing out here cos people just abuse everything at the end of the day.
It's just becoming surreal, isn't it.
I just met someone, a young, normal person, who has never had a cell phone, and gets along just fine the way we all used to not all that long ago. I don't think I can go that far. Yet. But I'm feeling like maybe that should be a goal. I'm at least going to try shutting the damn thing off for a while and maybe just using it for emergencies.
I just met someone, a young, normal person, who has never had a cell phone, and gets along just fine the way we all used to not all that long ago. I don't think I can go that far. Yet. But I'm feeling like maybe that should be a goal. I'm at least going to try shutting the damn thing off for a while and maybe just using it for emergencies.
Phone? It would be a problem on any computer... It's also the problem with any note taking app, what if you take a note on some private info? You never know if it's sending your note to IgotYourNotes.com...
He's right, but it's not much different than trusting any 3rd party app where you enter any kind of info.
It's quite simple. Use a browser made by Google for sensitive data. Don't use one made by John Nobody for that kind of stuff.
Kinda sad you had to ask actually.
Tell me about it, so far today I've read about:
iPhone 6 having major camera issues.
http://venturebeat.com/2014/09/24/iphone-6-has-serious-camera-problems-say-toms-hardware-testers/
More Bendgate
http://news.yahoo.com/depth-examination-bending-iphone-6-plus-174538641.html
iOS 8.0.1 issues
http://techcrunch.com/2014/09/24/ap...healthkit-apps-can-now-come-to-the-app-store/
What's next?
How can anyone trust Agile to store the passwords but not the in-app browser? If Agile wants your passwords, it certainly doesn't have to grab them via the browser.
How many of us actually log into a website in-app?
How many of us specifically TURN OFF the in-app browser in apps?
How many of us specifically TURN OFF the in-app browser in apps?
(Brilliant how your username contains "John")
For many people, the share size of google seems to makes it less worthy of their trust. The fact that google's users are it's product is a big part of the issue.
However there doesn't seem to be a real alternative. Google is a verb.
Same trust issues with facebook.
Last edited:
It's not specific to anything. (Well, every Internet device with apps.)
May as well have a story: Buy an iPhone, Lose Your Life Savings! iPhone 6 Allows Users to Receive Scams by Email... just like every other way of getting at your email.
Whatever sells clicks and ad-views....
I do think it's a topic worth being aware of, on any platform--but not one of any specific current relevance. (I also think if anyone can tackle it well, it's Apple, and I hope they can.)
Keep in mind the very core of this.
We do not grab any information from the web browser at this time. Though in the future we may try to implement similar features as our desktop version allowing something like AutoSave functionality. At that point we would be getting the data in the webpage so as to save the data for you.
If we were to ever use features like Craig mentions it would only be for good.
As mentioned above, we do not gather any data about the pages you're visiting. That would be a breach of trust.
What we could do is use this or similar technology as our desktop browser extension to help save new usernames/passwords but if we did that it would be something you could turn on or off at your discretion.
I like the way you think. But, given what I've mentioned above, we don't currently do any gathering of data from the built in web browser. If we did it would only be to allow AutoSave type of functionality and would be an optional feature.
All we've ever wanted to do was help people be secure and we wouldn't breach the trust that our users have for us.
From my understanding, it is neither specific to iOS 8 or iOS at all. The same attack could be done on Android FWIW.
Touchstrokes!
A good article to read:
Introducing Touchstroke: Keystroke-based Authentication System for Smartphones, Security and Communication Networks, 2014, Wiley,
Link: http://www.icsd.aegean.gr/publication_files/journal/527075717.pdf
A good article to read:
Introducing Touchstroke: Keystroke-based Authentication System for Smartphones, Security and Communication Networks, 2014, Wiley,
Link: http://www.icsd.aegean.gr/publication_files/journal/527075717.pdf
Kind of sad that you think sensitive data should be trusted with Google.
As opposed to who? Why don't you tell us our alternatives?
That's what I thought.
So whats new?
Every embedded browser in every mobile OS can be exploited like that...
----------
Windows Phone and Blackberry as well.
Every embedded browser in every mobile OS can be exploited like that...
----------
Windows Phone and Blackberry as well.
A big part of the problem would be the looks people give you when you have to remind them you can't "text me".
----------
How's duckduckgo?