If you’ve ever found the concept of in-app browsers a little sketchy, iOS developer Craig Hockenberry (perhaps best known for working on Twitterific) claims you have a right to be worried. In a blog post today, Hockenberry demonstrated how it’s possible for the developer of an in-app browser to record what you’re typing on the screen, even if you’re behind the supposed safety of secure login.
Using such information, an unscrupulous developer could nab the user names and passwords of their users when they’re accessing sites like Twitter, Facebook, and essentially anything else through the app’s browser.
To demonstrate his point, Hockenberry created a script for an in-app browser of his own design to record what’s being typed at the top of the page. He uses the browser to access Twitter, and then playfully enters “this kinda sucks” as his password. It shows up as encrypted on Twitter, but it’s as clear as day through the interface he created.
“This is not phishing: the site shown is the actual Twitter website,” Hockenberry says. “This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.” He’s also quick to point out that it’s not a bug, and that it can just as easily be used for good.
Many apps, after all, use some form of in-app browser, such as the one you see in Facebook when you click on links. It’s generally safe to read sites through these browsers; for Hockenberry, the problems arise when you enter information into fields inside them.
“There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser,” he says. Hockenberry discovered that such results are possible with both iOS 7 and 8 (and, presumably, earlier versions), which is why the latest iteration of Twitterific “did its token exchange in Safari, even though it’s a more complex user interaction and a more difficult technical implementation.”
To fix it, he says, Apple would need to “release a new version of iOS for each version that included Safari and WebKit.” For now, though, Hockenberry recommends that you not enter private information in an in-app browser unless, like Twitterific, it actually uses the much safer Safari.
Follow this article’s writer, Leif Johnson, on Twitter.
More: continued here