Risks of In-App Browsers
Many larger iOS apps re-implemented their own in-app web browser. While this was necessary many years ago, nowadays it’s not only not required any more, it actually adds a major risk to the end-user.
[…]
Using a custom in-app browser, allows the app developer to inject ANY JavaScript code into the website the user visits. This means, any content, any data and any input that is shown or stored on the website is accessible to the app.
[…]
It allows the app maintainer to inject additional analytics code, without telling the user.
[…]
Any app with an in-app browser can easily steal the user’s email address, passwords and two-factor authentication codes.
[…]
Once the user is logged in, you also get access to the full HTML DOM + JavaScript data & events, which means you have full access to whatever the user sees. This includes things like your emails, your Amazon order history, your friend list, or whatever other data/website you access from an in-app web view.
This is partially a consequence of iOS’s full screen interface. On the Mac, it’s no big deal to open a separate Safari browser window, and entering credentials or doing general browsing in an in-app browser would seem weird.
I’m not sure what Apple can do about this on iOS. Even if the user knows what the safer SFSafariViewController looks like, that appearance could be spoofed. And there are plenty of legitimate uses for a regular embedded Web view.
Previously: iCloud Passwords in Mail, Device Passwords, and Safari Passwords.
Update (2018-03-06): Bad Uncle Leo:
w-w-where’s App Review??
That’s how the house of cards comes crumbling down. App Review certainly should boot apps that steal credentials and do other nefarious things. However, if their responsibilities cover the behavior of apps (they do), then they also have to consider apps like Facebook.
Facebook’s business is built on exploiting user data in some way. Hell, Google’s is, too. However, I don’t think anyone is under any misconception that Apple’s App Review team is giving a serious, critical look at the behavior of those companies. They’re not.
This line of thinking forces us to ask what is the role of app review, and ultimately what is the role Apple’s moral policies? Are they really running their business as if they’re fighting the good fight, or is that all just marketing?
This is an area where App Review could help but won’t. App Review continues to look the other way, even for blatant push notification spam. And when there is enforcement, the rules are different for the big players.
Update (2018-03-07): Sean Hussey:
My son’s school isn’t supposed to allow outside recess if it’s below 32 degrees, so my son went to http://weather.com , opened up the web inspector, changed the temperature from 28 to 36, and showed the teacher.
