iOS In-App Browsing Poses Security Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Productivity/Collaboration Apps
09:24 AM
Connect Directly

iOS In-App Browsing Poses Security Risk

iOS developer warns that browser windows invoked within third-party apps allow information theft.

6 Things Not To Do With iPhone 6
6 Things Not To Do With iPhone 6
(Click image for larger view and slideshow.)

iOS apps that present Web pages can be abused by malicious developers to steal login details, developer Craig Hockenberry said on Wednesday.

In a blog post, Hockenberry, a principal at app maker Iconfactory, explains that in-app browser windows -- what iOS developers call a WebView -- are vulnerable to manipulation through iOS code.

As a proof of concept, Hockenberry has posted a sample project that demonstrates how supposedly secure login credentials entered into a WebView browser input form can be copied as clear text by the iOS code presenting the WebView element.  

"The app is stealing your username and password by watching what you type on the site," Hockenberry said. "There’s nothing the site owner can do about this, since the WebView has control over JavaScript that runs in the browser."

The keylogging vulnerability appears to be made possible by the deprecated KeyboardEvent API, still widely used to handle keyboard input on many Web pages. Hockenberry insists Web technologies of this sort are not inherently bad. Rather, he says, the iOS app has as much access to the Web page's JavaScript code as the developer of the Web page.

(Image credit: heyvoz at
(Image credit: heyvoz at

Hockenberry advises that while in-app browsing can be useful for viewing Web content, iOS users should open Web links in mobile Safari because Apple's browser can't be accessed by third-party code in the same way as an in-app WebView.

Apple isn't likely to catch apps designed to exploit this technique, Hockenberry said, citing the huge number of apps that get reviewed every day and the ease with which malicious code can be concealed, through obfuscation or through a setting that disables the malicious mechanism until after the app has been reviewed and released.

One way to mitigate the risk of credential theft involves the use of OAuth authentication, the API that allows credentials from Internet services like Facebook, Google, or Yahoo to be used to login to third-party websites.

But Hockenberry points out that proper implementation of OAuth calls for taking mobile app users outside the app to Safari to handle the authentication. This runs contrary to Apple's App Store Review Guidelines, specifically section 10.6, which states, "If your user interface is complex or less than very good, [your app] may be rejected." While handling user authentication in an app may offer a better user experience, best practices for OAuth implementation call for keeping apps and browser operations separate.

Hockenberry argues, "... this is a case where user security trumps usability. Apple should change [its] policy for apps that use OAuth."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/27/2014 | 5:02:15 PM
Maybe an upgrade is in order
On the other hand, hopefully the new ios8 version nixes this particular security risk along with protecting user privacy from the prying eyes of the NSA.
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll