iOS In-App Browsing Poses Security Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Productivity/Collaboration Apps
News
9/26/2014
09:24 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

iOS In-App Browsing Poses Security Risk

iOS developer warns that browser windows invoked within third-party apps allow information theft.

6 Things Not To Do With iPhone 6
6 Things Not To Do With iPhone 6
(Click image for larger view and slideshow.)

iOS apps that present Web pages can be abused by malicious developers to steal login details, developer Craig Hockenberry said on Wednesday.

In a blog post, Hockenberry, a principal at app maker Iconfactory, explains that in-app browser windows -- what iOS developers call a WebView -- are vulnerable to manipulation through iOS code.

As a proof of concept, Hockenberry has posted a sample project that demonstrates how supposedly secure login credentials entered into a WebView browser input form can be copied as clear text by the iOS code presenting the WebView element.  

"The app is stealing your username and password by watching what you type on the site," Hockenberry said. "There’s nothing the site owner can do about this, since the WebView has control over JavaScript that runs in the browser."

The keylogging vulnerability appears to be made possible by the deprecated KeyboardEvent API, still widely used to handle keyboard input on many Web pages. Hockenberry insists Web technologies of this sort are not inherently bad. Rather, he says, the iOS app has as much access to the Web page's JavaScript code as the developer of the Web page.

(Image credit: heyvoz at deviantart.com)
(Image credit: heyvoz at deviantart.com)

Hockenberry advises that while in-app browsing can be useful for viewing Web content, iOS users should open Web links in mobile Safari because Apple's browser can't be accessed by third-party code in the same way as an in-app WebView.

Apple isn't likely to catch apps designed to exploit this technique, Hockenberry said, citing the huge number of apps that get reviewed every day and the ease with which malicious code can be concealed, through obfuscation or through a setting that disables the malicious mechanism until after the app has been reviewed and released.

One way to mitigate the risk of credential theft involves the use of OAuth authentication, the API that allows credentials from Internet services like Facebook, Google, or Yahoo to be used to login to third-party websites.

But Hockenberry points out that proper implementation of OAuth calls for taking mobile app users outside the app to Safari to handle the authentication. This runs contrary to Apple's App Store Review Guidelines, specifically section 10.6, which states, "If your user interface is complex or less than very good, [your app] may be rejected." While handling user authentication in an app may offer a better user experience, best practices for OAuth implementation call for keeping apps and browser operations separate.

Hockenberry argues, "... this is a case where user security trumps usability. Apple should change [its] policy for apps that use OAuth."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
9/27/2014 | 5:02:15 PM
Maybe an upgrade is in order
On the other hand, hopefully the new ios8 version nixes this particular security risk along with protecting user privacy from the prying eyes of the NSA.
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Commentary
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll