In-App Browsers Can Record What’s Being Typed, Even with A Secure Login Screen, Developer Warns

by Istvan Fekete on September 25, 2014

If you use Twitter or Facebook for iOS, you already know that these apps, along with many other apps, have a built-in browser. But did you know that every one of those apps could log every single character you type? Even when it’s in a secure login screen with a password field?

Craig Hockenberry, one of the developers behind Twitterific, has inked a blog post warning iOS users about in-app browsers, which he considers harmful, so you may want to change your usage habits and use the “open in Safari” command instead when clicking on a link inserted in any app that has a built-in browser.

So what does Hockenberry say? Well, his findings reveal that an unscrupulous developer would be able to create an application with an in-app browser and capture the username and passwords of users who login to websites such as Twitter and/or Facebook with the browser.

“This is not phishing: the site shown [in the video] is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.”

“The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.”

You may already know that apps use in-app browsers to allow users to login to a social media account they already have, speeding up the login process. Almost every app offers such a feature, so Hockenberry warns about the potential for abuse.

It’s important to note that this isn’t Apple who is hacking you: it’s not a WebKit bug. The root of the problem appears to be the OAuth, and Twitterific has contacted Apple with a recommendation, but the latter’s App Review policy doesn’t agree with this.

Hockenberry warns users not to enter private information when using an in-app browser. Browsing the Web is safe, but if you want to log in to a website, you had better use Safari.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: