iOS Lockdown mode allows custom in-app webviews, host apps can steal information

Originator:KrauseFx
Number:rdar://10735684 Date Originated:2022-08-17
Status:Open Resolved:
Product:WebKit Product Version:
Classification: Reproducible:
 
Apps like Meta's Instagram & Facebook app use their own custom in-app web browser to render third party links. By doing so, Meta actually injects the Meta tracking pixel into all third party websites without the user's consent. In theory, iOS apps can then steal user credentials, API keys and third party website content by rendering their own in-app WebView instead of using SFSafariViewController, or opening Safari. With App-Bound Domains, this issue will be resolved, and companies like Meta will be forced to use the technology that's best for the user. However, App-Bound Domains isn't enforced at the moment. While this is a big change, App-Bound Domains should be enabled by default for all iOS apps, when Lockdown mode is enabled, to better protect the user from attacks. For a full context of the issue, and how Meta is currently abusing it, see the attached PDF.


Attached a PDF which is a copy of https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser

Comments

Apple

Thanks for your report. This isn’t what Lockdown Mode is for.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!