Privacy concerns with Safari View Controllers

Question

Created Nov ’15

Replies 2

Boosts 0

Views 1.4k

Participants 2

In iOS 9 Apple introduced Safari View Controller, allowing an app to open a web view that has access to the iCloud keychain, autofill, and any cookies already in the device's Safari—all without asking the user for permission.

How is this not a major privacy breach?

Basically any website that you're currently logged into via Safari could get accessed by an app. Or am I missing something?

For example lets say you open Tinder, and tap "Log in with Facebook," on someone's device. Rather than be prompted for a password, it's going to pop up a Safari View Controller and just automatically log you into Tinder as whoever was logged into FaceBook in the device's Safari. Which could be a problem if you've let someone else other than you login to Facebook on your device's Safari.

Personally I keep my OS-level Facebook login blank, for a reason—I don't want apps to automatically be able to login as me. But now they can just pop a Safari View Controller and do it anyway, without my permission? That ain't cool man.

So I think apps need to give clear warning that they are about to access an external site using some credentials you have currently put into Safari. I hope Apple adds some additional privacy controls and layers of protection to this...

Boost

Answer 1

junkpile OP

Nov ’15

Yes you are missing something. The web server must have the apple-app-site-association file, and that allows access to only your web site's cookies etc. from only your app. There's no access to somebody else's cookies AFAIK.

0

Answer 2

DaddieMac OP

Nov ’15

I don't think I phrased it right. I'm not saying that the app itself gets access to the cookies—I'm saying that it gains benefit of the SafariViewController having access to them.

For example take Facebook authentication that Tinder does. If you click "Login with Facebook" now it opens a Safari View Controller with a special URL. In that URL is encoded a string that Facebook uses to talk back to Tinder's servers and say "here is the person who is authenticated". When the user inside the Tinder app clicks that "Login with Facebook" link, if their operating-system-level Facebook credentials are blank (in Settings app), then they should rightfully expect to be presented with a form to enter their login information.

However instead of being presented with a form to enter their login information, Tinder instead is now able to load a web view that is already logged into Facebook and, if the user has already granted permission within that Facebook account for the Tinder app, then the SafariViewController disappears as soon as it appeared, and Tinder logs the user into Tinder according to whatever profile they were logged into Facebook with over in their Safari app—without ever asking the user permission if that's how they want to login to Tinder.

I mean, why should Tinder all of a sudden assume that you want to use the same Facebook profile that Safari is logged into, as the one you want to login to Tinder with?

Some people have multiple different accounts on social media or share their devices with housemates, significant others, etc. I don't always remember which was the last Facebook or Twitter profile that I logged into in Safari, or if my girlfriend or my brother used it last, if they left themselves logged in. I don't want apps going into Safari and automatically using whatever is currently logged into there, as a way of identifying who I am or which account I want ot use on their own server.

I really think this blurring of lines is a terrible idea and should be able to be turned off...

0