Today Craig Hockenberry, one of the developers behind Twitterrific for iOS, has released a blog post warning iOS users about the potential security issues of in-app browsers.
The developer outlines that an in-app browser has the ability to record everything that a user types, including usernames and passwords at a secure login page. Here is a video which demonstrates Hockenberry’s proof of concept:
A few things to note about what you’re seeing:
– The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
– This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
– The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
– The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.
– This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them).
The video demonstrates that any unethical developer has the ability to create an app with an in-app browser and capture all the login credentials of its users. For instance, if the user uses the in-app browser to login to Facebook or Twitter, the app could record the credentials of that user.
Even though this may seem like its a flaw with WebKit, it’s not. The main issue is that the iOS app has almost the same level of access as the developer of that webpage.
Hockenberry’s suggestion to Apple is to use OAuth, which keeps the user’s login information away from external websites and apps.
“OAuth does this by exchanging cryptographically signed tokens between the site where the user has an account and the app or web service that wants to access that account. A key factor in making this secure is that the exchange of these secure tokens is done through a trusted channel: the user’s web browser. Twitter has required third-party developers to use OAuth since 2010.
Apple should change their policy for apps that use OAuth.”
However, there is always a trade-off between user convenience and security. Using an OAuth token exchange will make it easier for a user to login, but there is no way of detecting if any information was captured. This is true unless the user is using Safari, in which case Hockenberry can be sure that no information was lost or captured.
Hockenberry points out that the flaw is exploitable in iOS 7 and iOS 8, which affects the majority of iOS users.
A general recommendation for users is not to enter personal information using any app that is not Safari, since it is the only web browser on iOS that comes with Apple’s security guarantee.
