iOS In-App Browsing Poses Security Risk

iOS developer warns that browser windows invoked within third-party apps allow information theft.

Thomas Claburn, Editor at Large, Enterprise Mobility

September 26, 2014

3 Min Read
(Image credit: heyvoz at

6 Things Not To Do With iPhone 6

6 Things Not To Do With iPhone 6

6 Things Not To Do With iPhone 6 (Click image for larger view and slideshow.)

iOS apps that present Web pages can be abused by malicious developers to steal login details, developer Craig Hockenberry said on Wednesday.

In a blog post, Hockenberry, a principal at app maker Iconfactory, explains that in-app browser windows -- what iOS developers call a WebView -- are vulnerable to manipulation through iOS code.

As a proof of concept, Hockenberry has posted a sample project that demonstrates how supposedly secure login credentials entered into a WebView browser input form can be copied as clear text by the iOS code presenting the WebView element.  

"The app is stealing your username and password by watching what you type on the site," Hockenberry said. "There’s nothing the site owner can do about this, since the WebView has control over JavaScript that runs in the browser."

The keylogging vulnerability appears to be made possible by the deprecated KeyboardEvent API, still widely used to handle keyboard input on many Web pages. Hockenberry insists Web technologies of this sort are not inherently bad. Rather, he says, the iOS app has as much access to the Web page's JavaScript code as the developer of the Web page.

Hockenberry advises that while in-app browsing can be useful for viewing Web content, iOS users should open Web links in mobile Safari because Apple's browser can't be accessed by third-party code in the same way as an in-app WebView.

Apple isn't likely to catch apps designed to exploit this technique, Hockenberry said, citing the huge number of apps that get reviewed every day and the ease with which malicious code can be concealed, through obfuscation or through a setting that disables the malicious mechanism until after the app has been reviewed and released.

One way to mitigate the risk of credential theft involves the use of OAuth authentication, the API that allows credentials from Internet services like Facebook, Google, or Yahoo to be used to login to third-party websites.

But Hockenberry points out that proper implementation of OAuth calls for taking mobile app users outside the app to Safari to handle the authentication. This runs contrary to Apple's App Store Review Guidelines, specifically section 10.6, which states, "If your user interface is complex or less than very good, [your app] may be rejected." While handling user authentication in an app may offer a better user experience, best practices for OAuth implementation call for keeping apps and browser operations separate.

Hockenberry argues, "... this is a case where user security trumps usability. Apple should change [its] policy for apps that use OAuth."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights