Comment by afavour
1 year ago
Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.
When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”
Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?
They definitely inject JS as we had a problem with them breaking certain JS calls with payment autofill before [1].
[1] https://x.com/jameshartig/status/1534886418266431488
I wasn’t aware that WKWebView granted the app such power. Is there a way for me as a user to figure out if WKWebView or SFSafariViewController is being used if I have a web page open? Although I don’t use FB, I do use the web view of other apps and don’t want them to be able to do this either.
SFSafariViewController is less customizable visually so the standard "sheet coming up within the app" that looks always the same regardless of the app (at least in most apps and of course not Meta's apps) is that one.
Having said that, since WKWebView is just a view that can be customized visually, nothing can stop someone to create a WKWebView-wrapping view controller that looks exactly like the "safe" Safari one anyway.
Certain features are not available to WKWebView.
Yes, there are ways to distinguish between them as a user, for example you can check to see if your browser plugins are available. I also went through some of the most popular iOS apps and created a list of which app uses the correct SFSafariViewController vs the potentially malicious WKWebView.
- https://krausefx.com/blog/ios-privacy-instagram-and-facebook... - https://krausefx.com/blog/announcing-inappbrowsercom-see-wha...
> Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.
[1] https://www.androidrank.org/application/onavo_protect_from_f...
Take a look: https://krausefx.com/blog/ios-privacy-instagram-and-facebook...
i don’t have instagram but i have facebook; when people send me links to instagram videos on messenger, the view doesn’t let me watch it unless i login (in fact create an account), i can only watch it loading externally into safari
SFSafariViewController does not share cookies with Safari anymore.