current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 11 down vote favorite
2

How do I trust that I am typing my password for Google when I'm using a Safari web view in an any iOS app?

'Sign In' page, which appears to come from Google

share|improve this question
7  
Possible duplicate of How do I verify that in-app social login dialogs are secure? – André Borie 11 hours ago
up vote 12 down vote

How do I trust that I am typing my password for google

You do not.

Apps should allow you to do that through actual Safari browser in another window, where you can see the address bar.

share|improve this answer
1  
How do you know then that the app is opening an actual Safari window and not its own modified copy of the browser? – Federico Poloni 4 hours ago
1  
@FedericoPoloni double tap the home button. You should see two apps open, the app and Safari. – Tim 3 hours ago
    
@Tim But then how do you know that that second app that looks a lot like Safari is Safari? – Federico Poloni 10 mins ago
    
@FedericoPoloni well if it opens inside the app there would only be one app... so either the app has somehow installed a second app (not possible), or it really is safari. Also apps are labelled with their name and icon on the switcher. – Tim 3 mins ago
    
@FedericoPoloni how did the second app get onto the phone? – Tim 47 secs ago
up vote 1 down vote

I agree with Greendrake.

With my experience with iOS you cannot verify if the source is from google or not, unless (like Greendrake said) it is in a browser window/interface.

However, if you have decent knowledge in reading packets then there is another solution. There are third party applications that will allow you to view the packets of your iPhone when it is tethered with your computer. From there you would be able to view if the authentication interface is from google or a third party.

share|improve this answer
13  
Even if the content was retrieved from Google, and the password sent back properly, the application is in a man-in-the-middle- position, so it can save the password and leak it elsewhere. – Koterpillar 8 hours ago
    
You would only be able to see the IP addresses though as the connection between the app and the Google-looking website will be encrypted (HTTPS). – Greendrake 8 hours ago
1  
@Greendrake You could quite easily break into that tunnel. If you control the phone (to a certain extent), you can import a custom CA. – Rhymoid 2 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.