Iconfactory developer Craig Hockenberry’s Furbo site is a treasure trove of clear thinking and technical detail, and his latest post, “In-App Browsers Considered Harmful,” is both.
There is always a tradeoff between usability and security…. As a user, I know that there’s no way for my login to be compromised when the transaction involves Safari.
Unfortunately, Apple’s current App Review policy does not agree with this recommendation or with Twittterrific’s previous implementation. This is why our update for iOS 8 was delayed—it was the first time since the launch of the App Store that we haven’t had a new version on release day.
The story seems to be this: Twitterrific needs to authenticate accounts with Twitter’s servers, but Twitter uses OAuth, a system that lets accounts authenticate without storing a user’s actual password. That’s a security improvement, since Twitterrific never needs access to your Twitter password. Since Twitter put this feature in place, when you add an account to Twitterrific, the app kicks you out to Safari. You put in your user name and password, and the authentication token is kicked back to Twitterrific. That’s it.
Except with the latest version of Twitterrific, Apple rejected this approach, claiming that switching out to Safari and back into Twitterrific causes a bad user experience. The result is that now when you sign into Twitter with Twitterrific, you do so in a browser window in the Twitterrific app itself.
It’s a nicer user experience, to be sure, but at what cost? Hockenberry’s post makes it clear that it’s quite easy for app developers to read everything you enter in an in-app window, and modify the display of pages loaded in those windows. The entire point of OAuth authentication is to prevent a third party from intercepting your password—but once the exchange happens inside an app, anything goes.
I hope Apple will reconsider its approach to this sort of security issue. But Hockenberry’s larger point is important for any iOS user to remember:
Another goal of this essay is to increase user awareness of the potential dangers of using an in-app browser. You should never enter any private information while you’re using an app that’s not Safari.