• Your favorite








    , and
  • Developer Reveals that In-App Browsers Can Potentially Be Harmful to iOS Users

    One of the developers behind Twitterriffic, Craig Hockenberry, recently wrote a blog post warning iOS users about in-app browsers. He considers them to be “harmful” and he even went as far as creating a video highlight that an in-app browser has the ability to record what’s being typed, even when on what appears to be a secure login screen.

    This means that a developer could potentially create an app that has an in-app browser set up with the ability to capture the usernames and passwords of users who login to websites such as Twitter or Facebook. He went on to note that many existing apps use in-app browsers to allow users to do things such as login with an existing social media account, even if it’s meant for the purpose of making the login process easier. That being said, the same feature could potentially be used with malicious intent.

    Hockenberry said the following about his video:

    A few things to note about what you're seeing:

    The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

    This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

    The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
    He continued by stating that the malicious use of the feature can potentially work in both iOS 7, iOS 8 and it may even work in earlier versions of iOS as well. One thing that he was quick to point out was that it’s not a bug but rather a feature that could be used for “good as well as evil.” As a result of this particular situation, he doesn’t appear to have a clear solution in mind for Apple to implement. Fixing the core behavior behind both WebKit and UIWebView would require the company to update every version of iOS that includes Safari and WebKit. That being said, Hockenberry did suggest that the company could possibly use OAuth to protect users.

    As far as his recommendations go for iOS users, Hockenberry warns everyone to not enter any private information when using an app that isn’t Safari. You can safely browse web content but it’s recommended that you open a link in Safari if you have any concerns about private information. Those of you looking to dig deeper into the security of various apps and read more about Hockenberry’s recommendations should hit the source link below!

    Source: Furbo via MacRumors
    This article was originally published in forum thread: Developer Reveals that In-App Browsers Can Potentially Be Harmful to iOS Users started by Akshay Masand View original post
    Comments 1 Comment
    1. talkin73's Avatar
      talkin73 -