Well… This is a pretty serious problem or over site on Apples part. Or is it? On the one hand, the web view offers the same access as the web developer as I would expect as an IOS developer. This allows the app designer total control over the app login sequence on a web page. I think the real bug here is from the app using the incorrect version of the web app interface. Instead of using a web view to launch a page that allows total exposure of the login process, why not use the twitter published API instead. Sure its a bit more work on the developers side, but it is also more secure than using a web view. For me this falls under using the best practices while developing an app.
This problem isn’t exclusively unique to IOS, if you try hard enough, it can be done on the desktop with safari or chrome extensions and under Internet explorer with their browser helper objects.
kudos to the articles author for pointing this problem out. It’s an easy problem to avoid, just use the right technology to log in with your mobile application.
Originally posted on 9to5Mac:
App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?”
View original 353 more words