Developer Warns Against Using In-App Browsers on iOS Due to Potential for KeyloggingCraig Hockenberry, one of the developers behind Twitterriffic, has
written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.
This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.
<center><iframe src="//www.youtube.com/embed/2Bl-pJBHYuc?feature=player_embedded" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe></center>
A few things to note about what you're seeing:
The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."
Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with
OAuth.
As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his
original blog post.
Recent Mac and iOS Blog Stories •
iPhone 6 Touch ID Still Vulnerable to Specialized Fake Fingerprint Hack •
Now TV Adds New Entertainment and Sky Movies Passes to Apple TV in UK •
iPhone 6 Plus Bending Limits Tested in New Video •
Apple Opening Retail Store in Hanover, Germany on September 27 •
'iPod Father' Tony Fadell Comments on Discontinuation of iPod Classic •
Apple Releases OS X Yosemite Mail Update for Developers and Public Beta Testers •
iPhone 6 and 6 Plus Capable of Faster Charging Using iPad 2.1A Adapter •
iPhone 6 Adoption Easily Outpacing iPhone 6 Plus<img width='1' height='1' src='
http://rss.feedsportal.com/c/35070/f/648327/s/3ecb0d88/sc/4/mf.gif' border='0'/><br clear='all'/>
<a href="
http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/rc/1/rc.htm" rel="nofollow"><img src="
http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/rc/1/rc.img" border="0"/>[/url]
<a href="
http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/rc/2/rc.htm" rel="nofollow"><img src="
http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/rc/2/rc.img" border="0"/>[/url]
<a href="
http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/rc/3/rc.htm" rel="nofollow"><img src="
http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/rc/3/rc.img" border="0"/>[/url]
<img src="[url]http://da.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/a2.img" border="0"/>[/url]<img width="1" height="1" src="
http://pi.feedsportal.com/r/208965234788/u/49/f/648327/c/35070/s/3ecb0d88/sc/4/a2t.img" border="0"/><div class="feedflare">
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=yIl2AUoC8zA" border="0"></img>[/url]
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=6W8y8wAjSf4" border="0"></img>[/url]
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=qj6IDK7rITs" border="0"></img>[/url]
</div><img src="
http://feeds.feedburner.com/~r/MacRumors-Front/~4/ikA_BV-LJsk" height="1" width="1"/>
Source:
Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging
