

WebViews Are Not To Be Trusted - hodgesmr
http://matthodges.com/2013/09/webviews-are-not-to-be-trusted/

======
swdunlop
And what is the difference between an untrusted application presenting a login
webview for your service of choice, and a GUI form doing the same?

I must not understand the article.

~~~
nostrademons
Do native apps really use third-party authentication services? That would
scare the shit out of me too.

I think the point of the article is that there's a trend with web applications
to use third-party identity providers like Google or Facebook. This itself is
(mostly) harmless; their login procedures are designed so that you can verify
that it is, in fact, Google or Facebook you are logging into, because the
login form is hosted on their domain, it goes through SSL, and you can verify
all that in the browser's address bar.

There's also a trend toward eliminating the address bar, by eg. putting your
webapp in a WebView which doesn't show it, or by using native-only apps, or
Chrome's move toward not showing the full URL for certain sites. When you
combine this with the trend toward third-party identity providers, it's very
dangerous, because you have no way of verifying that you are giving your
identity to the people you think you are giving your identity to.

~~~
swdunlop
> Do native apps really use third-party authentication services? That would
> scare the shit out of me too.

I would not underestimate the callousness of someone chasing revenue one or
two dollars at a time. I see this all the time in Android applications,
digging around with AndBug [1] -- just set a hook on various
apache.http.client.HttpClient methods, and watch the interactions.

[1]: [https://github.com/swdunlop/andbug](https://github.com/swdunlop/andbug)

