23

How do I trust that I am typing my password for Google when I'm using a Safari web view in an any iOS app?

'Sign In' page, which appears to come from Google

unor
  • 1,769
  • 1
  • 19
  • 38
bubakazouba
  • 313
  • 1
  • 8
  • Maybe we can extend this question to include all (mobile) OS? I'd be interested in a solution (if there is one) for android. – Nijin22 Nov 06 '16 at 17:11
  • 1
    @Nijin22 The answer is different for Android, because the preferred login method is by invoking Google Sign-In which is part of Google Mobile Services. – oldmud0 Nov 06 '16 at 19:31
  • 1
    See this image - google is going to block these from April 2017 https://i.stack.imgur.com/GdsQT.png – Tim Nov 29 '16 at 16:46
  • @Tim wow i didnt know my SE question would have such an effect on google jk .. way to go google! – bubakazouba Nov 29 '16 at 16:48
  • @bubakazouba well it could have influenced their decision. – Tim Nov 29 '16 at 16:48

2 Answers2

35

How do I trust that I am typing my password for google

You do not.

Apps should allow you to do that through actual Safari browser in another window, where you can see the address bar.

Greendrake
  • 669
  • 1
  • 8
  • 17
  • 7
    How do you know then that the app is opening an actual Safari window and not its own modified copy of the browser? – Federico Poloni Nov 06 '16 at 10:44
  • 5
    @FedericoPoloni double tap the home button. You should see two apps open, the app and Safari. – Tim Nov 06 '16 at 11:40
  • 2
    @Tim But then how do you know that that second app that looks a lot like Safari is Safari? – Federico Poloni Nov 06 '16 at 15:15
  • 4
    @FedericoPoloni well if it opens inside the app there would only be one app... so either the app has somehow installed a second app (not possible), or it really is safari. Also apps are labelled with their name and icon on the switcher. – Tim Nov 06 '16 at 15:22
  • @Tim Sorry, I deleted the comment when I saw you edited yours during the grace period, so mine was less relevant. I guess in Apple's "walled garden" system it's difficult to get an app that looks exactly like Safari approved, or change an app's name/icon after it's installed? – Federico Poloni Nov 06 '16 at 15:32
  • 2
    @FedericoPoloni well yes, one app cannot install another, and no app in the store can be called safari. Names can change with an update, but I doubt safari could be installed – Tim Nov 06 '16 at 15:34
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/48068/discussion-between-federico-poloni-and-tim). – Federico Poloni Nov 06 '16 at 15:37
0

I agree with Greendrake.

With my experience with iOS you cannot verify if the source is from google or not, unless (like Greendrake said) it is in a browser window/interface.

However, if you have decent knowledge in reading packets then there is another solution. There are third party applications that will allow you to view the packets of your iPhone when it is tethered with your computer. From there you would be able to view if the authentication interface is from google or a third party.

  • 19
    Even if the content was retrieved from Google, and the password sent back properly, the application is in a man-in-the-middle- position, so it can save the password and leak it elsewhere. – Koterpillar Nov 06 '16 at 07:13
  • You would only be able to see the IP addresses though as the connection between the app and the Google-looking website will be encrypted (HTTPS). – Greendrake Nov 06 '16 at 07:25
  • 1
    @Greendrake You could quite easily break into that tunnel. If you control the phone (to a certain extent), you can import a custom CA. – Rhymoid Nov 06 '16 at 12:39
  • @Koterpillar Very good point, but if you have control over the device you can inspect the app and check if it has any malicous content such as "abusive man-in-the-middle". –  Nov 06 '16 at 17:39
  • 1
    @milorules1012 if you can inspect the app, you can verify it's displaying the real Google page too. – Koterpillar Nov 06 '16 at 21:31