Twitterrific developer warns against using in-app browsers to enter sensitive information
Craig Hockenberry, one of the developers behind the popular Twitterrific app, is warning users not to enter sensitive information using in-app browsers.
In a new blog post, he details a proof-of-concept that could allow a malicious app to spy on what you type, even in a secure login screen with a password field.
Here’s a quick video that shows the keylogger at work. Click here if you can’t see it.
Hockenberry talks more about what you see in the video:
▪ The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
▪ This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
▪ The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
▪ The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.
▪ This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them.)
Hockenberry said the technique shown can be used for both good and evil.
There is no clear way for Apple to completely fix the issue. He also said a malicious app with the functionality could easily slip through the App Store approval process.
He concludes with some simple and easy advice for iOS device users:
Another goal of this essay is to increase user awareness of the potential dangers of using an in-app browser. You should never enter any private information while you’re using an app that’s not Safari.
An in-app browser is a great tool for quickly viewing web content, especially for things like links in Twitterrific’s timeline. But if you should always open a link in Safari if you have any concern that your information might be collected. Safari is the only app on iOS that comes with Apple’s guarantee of security.
That’s definitely some scary information as a number of apps feature in-app browsers. Hopefully Apple will be able to come up with some kind of permanent fix instead of just believing that a malicious app will be caught in the approval process.
For other news today, see: Here’s how to fix your iPhone 6 or iPhone 6 Plus if you updated to iOS 8.0.1, You might not be able to get your new Apple Watch for awhile, and Touch ID can still be hacked on an iPhone 6 and iPhone 6 Plus.