Be careful of using any app’s browser except Safari until Apple fixes this iOS security hole


Be careful logging into sites like Twitter and Facebook using in-app browsers.
Be careful logging into sites like Twitter and Facebook using in-app browsers.

If you regularly use an iPhone or iPad app that uses a built-in browser, you could be vulnerable to a major vulnerability in iOS that allows unscrupulous app developers to spy on your typing.

The vulnerability was discovered by Craig Hockenberry, one of the developers behind Twitter for iOS, who has taken to his blog to warn iOS users about the security issues inherent in using in-app browsers: namely, that an app can spy on everything that is being entered in its in-app browser.

Hockenberry posted a video and a proof-of-concept app to show the vulnerability in action. As you can see, it can even capture passwords.

Hockenberry explains the hack:

– The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

– This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

– The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

– The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.

– This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them).

Basically, until this is fixed, you should think twice about logging into any third-party site through an in-app browser. Instead, you should only log into web sites with Safari, not any sites that use iOS’s in-app browser… which, unfortunately, includes third-party iOS browsers like Chrome.

Source: Furbo

  • Gary

    Would this apply to 1Password’s in app browser also?

    • Daniel Bergquist

      Yes, user input given to 1Password can be logged by 1Password. They would also have access to your password if they *didn’t* user an in-app browser. Same goes for ANY app.

      The real question is, do you trust 1Password with your passwords? If you do, this “flaw” isn’t an issue. If you don’t, well….

  • ukbuzz

    Thanks for the info. So this is click-jacking or key-logging. Can anything displayed on screen be seen or is it just the keystrokes?

  • Sam Sawyer, SJ

    The warning to not use Chrome is kind of ridiculous. The issue here is trust of the app — because certainly Safari could steal your passwords if Apple wanted it to. Do we really think Google is going to use Chrome to steal our passwords? And given the degree of trust you likely already extend to Google, suddenly freaking out about their iOS browser would be silly.