Apple really isn’t having a good week. Things started out well enough when Apple revealed on Monday morning that more than 10 million combined iPhone 6 and iPhone 6 Plus handset were sold during their debut weekend. Then came “Bendgate.” And iOS 8.0.1. And the revelation that Apple is entirely at fault for the huge nude celebrity photo leak. Piling on top of this growing list is a blog post from app developer Craig Hockenberry, who reveals a big and potentially frightening security issue in iOS 8 and earlier versions of Apple’s mobile software.
FROM EARLIER: It’s Apple’s fault that the world has seen naked photos of Jennifer Lawrence
Hockenberry, one of the developers who helped build the popular app Twitterrific, has posted at length about a serious security issue that affects all iOS devices.
The gist of the issue is this: in-app browsers in third-party iOS apps have the ability to log keystrokes as they’re typed. In other words, when a browser window pops up in an app to let you log into a service like Google, Facebook or Twitter, it’s possible that your login details can be stolen. Worse yet, credit card data or bank login details can be stolen if entered in a browser window in a third-party app.
A few notes about the above video from Hockenberry:
The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
For more on this issue, head over to Hockenberry’s blog, which is linked below in the source section.