Last night I saw Craig Hockenberry‘s excellent post that explains a method that an iOS app can use to capture anything you type into an in-app browser.
Almost three years ago, I reported another way to eavesdrop on users’ keystrokes in an embedded browser (radar 10447976). It’s a much more rudimentary attack than Craig’s, but nevertheless it’s a means for this information to be harvested.
Here is a dead simple sample project that illustrates the attack. There are two factors that come into play.
- In a password field, each character is shown to the user for a brief moment.
- Apps are allowed to do a screen-grab of their own window.
Here is a screenshot of the sample app. The twitter login page is loaded into a WebView.
As you can see, the most recent character in my password is displayed as I type. Now, combine this with a fast firing timer that continually takes screengrabs of the web view, and voilà , you have the whole password. I was able to easily capture my entire Twitter password.
Now, you still have to piece the keystrokes together out of the screenshots, so it’s not the most elegant attack, but in the end you still have the information.
When I reported this to Apple in 2011, they replied and said that they didn’t see how this is a security issue. I guess I can understand, since it’s pretty roundabout. Still, it would be nice if web views were bulletproof and completely trustworthy.
I agree with Craig that web views are great for quick and dirty views of webpages that aren’t asking for sensitive information. Be wary of entering sensitive passwords into any app, even if it’s showing you a webpage that isn’t technically phishing.