Click to Skip Ad
Closing in...

Developer warns of yet another big iPhone security flaw

Published Sep 25th, 2014 1:40PM EDT
iOS 8 Security Flaw
Image: Zach Epstein, BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Apple really isn’t having a good week. Things started out well enough when Apple revealed on Monday morning that more than 10 million combined iPhone 6 and iPhone 6 Plus handset were sold during their debut weekend. Then came “Bendgate.” And iOS 8.0.1. And the revelation that Apple is entirely at fault for the huge nude celebrity photo leak. Piling on top of this growing list is a blog post from app developer Craig Hockenberry, who reveals a big and potentially frightening security issue in iOS 8 and earlier versions of Apple’s mobile software.

FROM EARLIER: It’s Apple’s fault that the world has seen naked photos of Jennifer Lawrence

Hockenberry, one of the developers who helped build the popular app Twitterrific, has posted at length about a serious security issue that affects all iOS devices.

The gist of the issue is this: in-app browsers in third-party iOS apps have the ability to log keystrokes as they’re typed. In other words, when a browser window pops up in an app to let you log into a service like Google, Facebook or Twitter, it’s possible that your login details can be stolen. Worse yet, credit card data or bank login details can be stolen if entered in a browser window in a third-party app.

A few notes about the above video from Hockenberry:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

For more on this issue, head over to Hockenberry’s blog, which is linked below in the source section.

Zach Epstein
Zach Epstein Executive Editor

Zach Epstein has been the Executive Editor at BGR for more than 15 years. He manages BGR’s editorial team and ensures that best practices are adhered to. He also oversees the Ecommerce team and directs the daily flow of all content. Zach first joined BGR in 2007 as a Staff Writer covering business, technology, and entertainment.

His work has been quoted by countless top news organizations, and he was recently named one of the world's top 10 “power mobile influencers” by Forbes. Prior to BGR, Zach worked as an executive in marketing and business development with two private telcos.