Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging
- Thread starter MacRumors
- Start date
- Sort by reaction score
lol... "Suck it up"
I was gonna jump to the fact iO8's extensions or other stuff, but wow, iOS7 too..
Well, the only the only app i really use is Lastpass Premium which u lgin via the app.
However, this guys wouldn't be malicious....
Plus, users know that you login via iOS permanently,,, why would u use an app to login *again* ?
It may illiterate a point, but iOS users are smarter than this, aren't they ??
I was gonna jump to the fact iO8's extensions or other stuff, but wow, iOS7 too..
Well, the only the only app i really use is Lastpass Premium which u lgin via the app.
However, this guys wouldn't be malicious....
Plus, users know that you login via iOS permanently,,, why would u use an app to login *again* ?
It may illiterate a point, but iOS users are smarter than this, aren't they ??
Then make your own browser or stop browsing the web.
Are you new to the internet or something?
----------
In other news, water is wet.
They have all the Adblock I need: no flash. I don't really care about the banner ads, and most websites / ad services don't allow javascript Popup sort of things (boycott those that do allow them, and contact the webmaster. Those are obnoxious and need to be banned from existance).
As for what Apple could do... Couldn't they modify WebKit to prevent password input fields from being inspected from outside javascript code (that is, code from the app with the WebKit frame?) It seems like there's little legitimate reason for an app to want to read a field that is set up as a password field. Further, WebKit would need some kind of internal marker to designate a field as having ever been a password field (so that the external code can't just change the field to a normal text field, read it, then change it back to a password field).
He might as well have said the sky is blue
One of the most fundamental principles of security is that any time you give your access credentials to a third party, you are making a decision based on trust.
That's a fact that is older than iOS, older than personal computers, older than mainframes, older than cryptography.
The oldest known lock is estimated to be 4,000 years old, excavated from Khorsabad Palace in ancient Persia near Nineveh. If the user of that lock were to give their key to some nefarious Ninevite, they'd be placing the security of that lock at risk. If they gave it instead to a faithful friend, they'd still be placing the security of the lock at risk, although hopefully much less risk because the faithful friend has a history of being trustworthy.
This scenario is as old as the dirt Jesus, Mohammed, and Buddha walked upon in prototype Birkenstocks.
Security is never perfectly secure, it is only as secure as the trust you can place in each part of the system.
Not only can in-app browsers steal your credentials, so could Safari if Apple suddenly decided to do so. How much do you trust Apple? How much do you trust AgileBits (makers of 1Password)? How much do you trust LOLWTF SOFWARZ, makers of the CANHAZWEBPAYG browser?
How much do you trust the makers of each and every extension you install in your desktop browser?
How much do you trust the hot new social app that requires you to use your Facebook credentials to log in?
The answers to these questions are how you decide on what is secure enough for you because there is no such thing as perfect security.
The sky is blue, and all systems are penetrable.
Anyone you give a key to can exploit that key.
This is not news, it is simply an illustration of why trust is so important.
One of the most fundamental principles of security is that any time you give your access credentials to a third party, you are making a decision based on trust.
That's a fact that is older than iOS, older than personal computers, older than mainframes, older than cryptography.
The oldest known lock is estimated to be 4,000 years old, excavated from Khorsabad Palace in ancient Persia near Nineveh. If the user of that lock were to give their key to some nefarious Ninevite, they'd be placing the security of that lock at risk. If they gave it instead to a faithful friend, they'd still be placing the security of the lock at risk, although hopefully much less risk because the faithful friend has a history of being trustworthy.
This scenario is as old as the dirt Jesus, Mohammed, and Buddha walked upon in prototype Birkenstocks.
Security is never perfectly secure, it is only as secure as the trust you can place in each part of the system.
Not only can in-app browsers steal your credentials, so could Safari if Apple suddenly decided to do so. How much do you trust Apple? How much do you trust AgileBits (makers of 1Password)? How much do you trust LOLWTF SOFWARZ, makers of the CANHAZWEBPAYG browser?
How much do you trust the makers of each and every extension you install in your desktop browser?
How much do you trust the hot new social app that requires you to use your Facebook credentials to log in?
The answers to these questions are how you decide on what is secure enough for you because there is no such thing as perfect security.
The sky is blue, and all systems are penetrable.
Anyone you give a key to can exploit that key.
This is not news, it is simply an illustration of why trust is so important.
LOL. Let's check today's Yahoo home page, the most-visited home page on the web. These are all on the home page together, right now. Granted, most of these articles are click-bait written by morons looking for traffic, but I would say people are hearing about it.
Apple plagued by iPhone 6 stumbles (top story, in the big photo on top)
Apple Stock Tanks Wall Street Over Bad iOS Update, Bendable iPhones
Rivals mock an issue with Apple’s new iPhone #BendGate
I Just Got The iPhone 6 Plus And I'm Already Thinking About Returning It
Apple stock falls amid new iPhone glitches
Apple Just Broke Its Silence On Bendgate
Will Apple replace your bent iPhone 6? It depends
iPhone 6 has serious camera problems, say Tom's Guide testers
Apple Details Official Fix For iOS 8.0.1 Woes, Will Release iOS 8.0.2 “In The Next Few Days”
Man 'Fixes' iPhone 6 Camera Bump With A Grinding Machine, Heartless Determination
Developer warns of yet another big iPhone security flaw
Apple shares sink after iOS 8.0.1 glitch
Bending All The Phones: iPhone 6 vs. HTC One M8 vs. Moto X
Apple to replace bent iPhone 6 Plus models
An in-depth examination of the bending iPhone 6 Plus
iPhone owners rip Apple over botched iOS update
New Samsung Ad Capitalizes On Apple's iPhone 6 Plus Bending Problem
The crisis of the bending iPhone 6: Solving the problem
Apple's biggest iPhone snafus
Duh: Of Course the iPhone 6 Plus Can Bend in Your Pocket
Theoretically, any phone or desktop app could have some hidden key logging capability. We trust the developers not to include nefarious code into their apps but really, if they wanted to we wouldn't know, correct? Unless we used Little Snitch or something like that?
Go out on the street. Find 100 people with iPhones. Ask them about these things. See how many look at you absolutely clueless.
It's not the people with iPhones it affects, it's people who might be thinking about buying one in the future (which at this point, is most people). Look, I know most of these stories are BS, but it's perception that matters and right now, every other news story is about how Apple f-ed up again. That has a cumulative effect in the mass market and over time it will hurt them (how much, who knows).
Yes.
Apple provides UIWebView which allows apps to embed a browser window. Some apps use this to provide some up-to-date pages from a website. Some apps use a UIWebView for their primary (or only) user interface. It allows you to write your UI using HTML/CSS/JS. PhoneGap apps do this.
The issue as stated is a red herring. It has absolutely nothing to do with in-app browsers. The author had an "aha" moment while enjoying some magic cookies, IMO.
Some app asks you to type in your Facebook password. Is it is Facebook app or Safari? If it's not the Facebook app or Safari, don't do it. Period.
Some apps will let you go off browsing the web willy-nilly within an in-app browser. I don't know why, it doesn't make much sense to me, since you have Safari - if you want to go off and browse, open Safari. (Or the let app do it for you.) So, this is a third use case for in-app browsers (but least often encountered).
I suppose this is what the point the author was trying to make - that when you go off browsing the web within an app, it's easy to forget you are still in the app, and not in a real browser. You shouldn't type in any passwords.
But, he didn't get around to making that point, because.... boy those cookies were good!