4

I just had to sign in into my google account in an iPhone app. It's a third party, that only uses the google account for authentication. The familiar google sign in page appeared in what is known as a "web view", that is a browser that is embedded into the application. The problem I am seeing here is that I don't see the URL that is being loaded into the web view. It could be a page on a completely different domain that just looks like the google sign in page. Even if it did show a URL, I couldn't be sure that it actually is what it claims to be, because you could just make it look like it loads google.com even if it didn't. Should the sign in page not be loaded in the actual system browser, which I do trust and where I can see the URL and the certificate, and then somehow redirect back to the app?

The only way I can think of is by installing MITMProxy on my computer and watch the traffic as I sign in to confirm that my password is really only transmitted to google. That's not very practical though.

Is there a better practice than the sign-in via web view for (iPhone) apps?

eikes
  • 141
  • 1
  • You don't necessarily have to MITM the whole connection, just check the IP address that the phone connects to. With that said, short of inspecting the network traffic or reverse engineering the app, no you cannot know. – CBHacking Sep 28 '15 at 22:16
  • 2
    Even if a URL was shown I would debate the the origin since an app developer could easily fake this part as well. Or just as easily key log your input. Personally I would only log in to such an app if they integrate with that services authorization APIs that takes advantage of a passwordless technology like oAuth 2.0. – Bacon Brad Sep 28 '15 at 22:18
  • This is how the Stack Exchange app works if you log in using your Google account. – JonnyWizz Oct 31 '15 at 16:29

2 Answers2

0

Unfortunately this is how the sad state of the internet is now. With single sign on, it is how it works. The only way to be sure there isn't any side offloading of the sign in is to link the data submission with the remote host, buy even then there could be a cluster of outgoing submissions.

Munchen
  • 9
  • 1
-1

Short of monitoring the connection, you can't. The webview could easily be replaced by the connecting server. This is why it's important to only give API access to apps you trust.

Stephen Punwasi
  • 319
  • 2
  • 5