{"id":9730,"date":"2014-09-24T12:59:09","date_gmt":"2014-09-24T16:59:09","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=9730"},"modified":"2015-02-03T15:19:36","modified_gmt":"2015-02-03T20:19:36","slug":"in-app-browsers-considered-harmful","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2014\/09\/24\/in-app-browsers-considered-harmful\/","title":{"rendered":"In-App Browsers Considered Harmful"},"content":{"rendered":"<p><a href=\"http:\/\/furbo.org\/2014\/09\/24\/in-app-browsers-considered-harmful\/\">Craig Hockenberry<\/a>:<\/p>\r\n<blockquote cite=\"http:\/\/furbo.org\/2014\/09\/24\/in-app-browsers-considered-harmful\/\"><p>How many apps on your iPhone or iPad have a built-in browser?<\/p>\r\n<p>Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it&rsquo;s in a secure login screen with a password field?<\/p>\r\n<p>[&#8230;]<\/p>\r\n<p>There is <strong>always<\/strong> a tradeoff between usability and security. Doing the OAuth token exchange with an in-app browser makes it easier for a user to login, but they&rsquo;ll have no idea if their personal information was captured. That is why Twitterrific did its token exchange in Safari, even though it&rsquo;s a more complex user interaction and a more difficult technical implementation. As a user, I know that there&rsquo;s no way for my login to be compromised when the transaction involves Safari.<\/p>\r\n<p>Unfortunately, Apple&rsquo;s current App Review policy does not agree with this recommendation or with Twittterrific&rsquo;s previous implementation. This is why our update for iOS 8 was delayed&mdash;it was the first time since the launch of the App Store that we haven&rsquo;t had a new version on release day.<\/p>\r\n<\/blockquote>\r\n<p>Update (2014-10-09): <a href=\"http:\/\/kickingbear.com\/blog\/archives\/492\">Guy English<\/a>:<\/p>\r\n<blockquote cite=\"http:\/\/kickingbear.com\/blog\/archives\/492\"><p><\/p><p>Less tapping around and not leaving the app? Yes. That&rsquo;d be a good thing. It appears, however, that Apple rejected this application because it strove to do the <em>right<\/em> thing for users over the long term &mdash; establish a level of trust and transparency vetted through Apple&rsquo;s own web client for the platform.<\/p>\r\n<p><\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Craig Hockenberry: How many apps on your iPhone or iPad have a built-in browser? Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it&rsquo;s in a secure login screen with a password field? [&#8230;] There is always a tradeoff between usability and security. Doing the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[91,31,26,959,355,48,233],"class_list":["post-9730","post","type-post","status-publish","format-standard","hentry","category-technology","tag-appstore","tag-ios","tag-iosapp","tag-oauth","tag-privacy","tag-security","tag-twitterrific"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/9730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=9730"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/9730\/revisions"}],"predecessor-version":[{"id":9766,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/9730\/revisions\/9766"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=9730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=9730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=9730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}