Report: in-app browsers in iOS can easily keylog you

Every now and then, a report or a developer comes out and warns that a certain flaw exists in a given mobile OS, which opens the gates for malicious apps and allows them to steal often-sensitive data. Android and iOS, the duo of operating systems that basks in the most popularity, are the usual victims of such malevolent exploits. One of the latest threats that was brought to light can seriously compromise the sensitive data of iOS users.

One of Twitterrific's (a third-party Twitter client) developers, Craig Hockenberry, warned that apps that have in-built browsers inside can keylog you as easy as abc. Keylogging, if you don't know, is the act of monitoring your key strokes and sending them to a remote location without your knowledge, usually with malicious intent in mind. Apps in both iOS 7 and iOS 8 are said to be able to keylog you silently (there is no info yet about previous iOS versions), but Hockenberry revealed that it is not due to a flaw in iOS' WebKit itself, it's most probably a JavaScript exploit, which circumvents the OAuth open security protocol in the Safari browser.

Hockenberry also released a brief video in which he showcases an in-app browser keylogging some login credentials, i.e. a username and a corresponding password. He also claimed that it will be pretty hard for Apple to cope with this problem and circumvent malicious apps from making use of the exploit, as each and every iOS version until now will have to have their WebKit and UIWebView packages updated. He advises Cupertino to be fully implementing the OAuth protocol so as to protect its users from misbehaving apps with built-in browsers and malicious wrongdoers.

Users, on the other hand, are advised to think twice and thrice before keying in their login credentials and sensitive personal information in any other app different from Apple's Safari itself.

You can check out Craig Hockenberry's video right below. 



source: Furbo via MacRumors