Report: in-app browsers in iOS can easily keylog you

Report: in-app browsers in iOS can easily keylog you
Every now and then, a report or a developer comes out and warns that a certain flaw exists in a given mobile OS, which opens the gates for malicious apps and allows them to steal often-sensitive data. Android and iOS, the duo of operating systems that basks in the most popularity, are the usual victims of such malevolent exploits. One of the latest threats that was brought to light can seriously compromise the sensitive data of iOS users.

One of Twitterrific's (a third-party Twitter client) developers, Craig Hockenberry, warned that apps that have in-built browsers inside can keylog you as easy as abc. Keylogging, if you don't know, is the act of monitoring your key strokes and sending them to a remote location without your knowledge, usually with malicious intent in mind. Apps in both iOS 7 and iOS 8 are said to be able to keylog you silently (there is no info yet about previous iOS versions), but Hockenberry revealed that it is not due to a flaw in iOS' WebKit itself, it's most probably a JavaScript exploit, which circumvents the OAuth open security protocol in the Safari browser.

Hockenberry also released a brief video in which he showcases an in-app browser keylogging some login credentials, i.e. a username and a corresponding password. He also claimed that it will be pretty hard for Apple to cope with this problem and circumvent malicious apps from making use of the exploit, as each and every iOS version until now will have to have their WebKit and UIWebView packages updated. He advises Cupertino to be fully implementing the OAuth protocol so as to protect its users from misbehaving apps with built-in browsers and malicious wrongdoers.

Users, on the other hand, are advised to think twice and thrice before keying in their login credentials and sensitive personal information in any other app different from Apple's Safari itself.

You can check out Craig Hockenberry's video right below. 



source: Furbo via MacRumors

FEATURED VIDEO

11 Comments

1. neops

Posts: 297; Member since: Jan 28, 2014

Rotten

2. android_hitman unregistered

people are blind.. they will still buy apple no matter what.

3. AnTuTu

Posts: 1612; Member since: Oct 14, 2012

This is getting way too embarrassing for a company which brags about perfection, innovation and how they revolutionized the tech industry. I think it is time to go down enough with bragging and deceiving...

4. androidrocks

Posts: 63; Member since: Apr 14, 2012

Apple is facing a lot of bad PR of late..may be they should concentrate more on their software instead of suing other companies... chanting "it just works" mantra does not seem to work these days...

5. dimas

Posts: 3363; Member since: Jul 22, 2014

Flawed security and people pay too much for their gadgets? So much for being premium and high end products.

6. Python212

Posts: 363; Member since: Aug 13, 2014

Apple's not worried. They won't care either. You know why? They got the iDefenders on their back! Even if their phone stops working tomorrow they'll still iDefend. dj's new iToy is already bent but he's telling people it was his fault because he didn't use a belt clip to carry his new iToy around. LMAOOO

8. Jimrod

Posts: 1605; Member since: Sep 22, 2014

Hmm, yet when you look in the new camera test here (where the iPhone wins) it's full of crying and accusations from the Android crowd, seems every brand has their fanboy defenders...

7. f35hunter

Posts: 240; Member since: Dec 12, 2013

Very secure!!!!

9. poppy.a

Posts: 41; Member since: Sep 24, 2014

apple is doomed

10. jroc74

Posts: 6023; Member since: Dec 30, 2010

Wait a min, does this effect Android too? "He also claimed that it will be pretty hard for Apple to cope with this problem and circumvent malicious apps from making use of the exploit, as each and every iOS version until now will have to have their WebKit and UIWebView packages updated." If this doesnt effect Android too....which also uses Webkit.....this will be damaging, very damaging for Apple. This sounds very serious.

11. tacarat

Posts: 854; Member since: Apr 22, 2013

I'm curious how it doesn't apply to EVERY computing system that doesn't block such functionality. WP, BB and even the new blackphone. It should underscore using trusted app vendors more than before. Trusted app sources wouldn't apply in this case as the apps were bogus to start.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.