Results 1 to 2 of 2

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Developer Reveals that In-App Browsers Can Potentially Be Harmful to iOS Users

  1. #1
    What's Jailbreak? Akshay Masand's Avatar
    Join Date
    Sep 2011
    Location
    New York City
    Posts
    5,897
    Thanks
    3
    Thanked 200 Times in 179 Posts

    Default Developer Reveals that In-App Browsers Can Potentially Be Harmful to iOS Users


    One of the developers behind Twitterriffic, Craig Hockenberry, recently wrote a blog post warning iOS users about in-app browsers. He considers them to be “harmful” and he even went as far as creating a video highlight that an in-app browser has the ability to record what’s being typed, even when on what appears to be a secure login screen.

    This means that a developer could potentially create an app that has an in-app browser set up with the ability to capture the usernames and passwords of users who login to websites such as Twitter or Facebook. He went on to note that many existing apps use in-app browsers to allow users to do things such as login with an existing social media account, even if it’s meant for the purpose of making the login process easier. That being said, the same feature could potentially be used with malicious intent.

    Hockenberry said the following about his video:

    A few things to note about what you're seeing:

    The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

    This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

    The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
    He continued by stating that the malicious use of the feature can potentially work in both iOS 7, iOS 8 and it may even work in earlier versions of iOS as well. One thing that he was quick to point out was that it’s not a bug but rather a feature that could be used for “good as well as evil.” As a result of this particular situation, he doesn’t appear to have a clear solution in mind for Apple to implement. Fixing the core behavior behind both WebKit and UIWebView would require the company to update every version of iOS that includes Safari and WebKit. That being said, Hockenberry did suggest that the company could possibly use OAuth to protect users.

    As far as his recommendations go for iOS users, Hockenberry warns everyone to not enter any private information when using an app that isn’t Safari. You can safely browse web content but it’s recommended that you open a link in Safari if you have any concerns about private information. Those of you looking to dig deeper into the security of various apps and read more about Hockenberry’s recommendations should hit the source link below!

    Source: Furbo via MacRumors
    Last edited by Akshay Masand; 2014-09-25 at 05:40 PM.

    Twitter: @AkshayMasand

  2. #2
    Yikes.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •