
Ask HN: How am I supposed to verify the origin of a sign-in page in a web view? - 3ds
I just had to sign in into my google account in an iPhone app (ingress). The familiar google sign in page appeared in what is known as a &quot;web view&quot;, that is a browser that is embedded into the application. The problem I am seeing here is that I don&#x27;t see the URL that is being loaded into the web view. It could be a page on a completely different domain that just looks like the google sign in page. Even if it did show a URL, I couldn&#x27;t be sure that it actually is what it claims to be, because you could just make it look like it loads google.com even if it didn&#x27;t.<p>Should the sign in page not be loaded in the actual system browser, which I do trust and where I can see the URL and the certificate, and then somehow redirect back to the app?<p>The only way I can think of is by installing MITMProxy on my computer and watch the traffic as I sign in to confirm that my password is really only transmitted to google.<p>Is there a better practice than the sign-in via web view for (iPhone) apps?
======
silviogutierrez
I'm also interested in this. Seems like a very easy way to phish for
credentials.

