Updating Apps that Use Web Views – Are you affected?
Updating Apps that Use Web Views – News – Apple Developer:
If your app still embeds web content using the deprecated UIWebView API, we strongly encourage you to update to WKWebView as soon as possible for improved security and reliability. WKWebView ensures that compromised web content doesn’t affect the rest of an app by limiting web processing to the app’s web view. And it’s supported in iOS and macOS, and by Mac Catalyst.
The App Store will no longer accept new apps using UIWebView as of April 2020 and app updates using UIWebView as of December 2020.
In layman terms if your app loads content from the web, eg a webpage or a web application then this could affect you. For Xyroh clients, especially those based on Xamarin forms this should’t be a problem as they already use WkWebView.
Worst affected will be those who have stale apps, or aren’t being regularly supported by the original developers – in those cases please get in touch, we can do an analysis of the original source code, let you know if affected, cost to fix and support going forward, and the side effects of doing nothing – basically let you make an informed decision.
Andy Flisher is a Software Developer based in the North East of England with over 20 years software development experience. He is available for hire and specialises in cross platform mobile app development, web applications, desktop software, bespoke cloud architecture solutions and providing outsourced project management services.
You get what you pay for – Mobile App Security
You get what you pay for – App Security
In the course of work this week I had a cause to audit an iOS App that a prospect had had developed by a local competitor here in the North East, the reasoning for this was that the prospective client was looking at moving the hosted back end (ASP .Net, SQL Server – standard stuff) and wanted a price.
The purpose of the audit was to check what network connections the app was making, and correlating with what I knew about the backend hosting, just to make sure there were no surprises, we didn’t have the source code for either end yet, it was just a pricing exercise at this point (As it happens the App is written using PhoneGap so we did have the source code, but my route was quicker).
So, I installed the app, redirected my iPhone through a proxy server, and fired up the app – and proceeded to stare in horror. The app instantly, on first run fired up an un-encrypted, un-authenticated connection to the backend host and promptly downloaded the usernames, password, emails, and more for every user in the system. It then keeps a copy of these locally, and uses those details to authenticate later.
Why is this bad, in laymans terms, because anyone, on the internet, who knew the url the app uses could download the same list. Would people be interested in logging in to this system? Probably not, do people use the same username and password for Amazon, Tesco, Online Banking – absolutely, and there’s the problem.
Solutions, well it’s about paranoia, but key areas;
- Authentication – Implement simple basic authentication so that the app logs in to the webservice it pulls the data from.
- Https – Implement and SSL connection, then at least all traffic too and fro is encrypted (important as Basic Authentication is over plain text, so without https it’s still sniffable)
- Change the login mechanism to completely remove the need to download all user info at all.
What’s really frustrating though, and actually makes the ‘You get what you pay for’ title of this post a misnomer, is this wasn’t a cheap solution. The client paid a very reasonable amount for this app and solution. This is the sort of thing we see, and sadly expect, when a ‘cheap’ solution is offered as a counter to ours. We’re not expensive, but not cheap, we do do things correctly though. It’s a classic case of the customer not knowing what they’re not getting, they trust, and assume that a professional job is being done, without really asking too many questions about why it’s cheap.
In this case no excuses though, I’ll not name anyone, and we’ve raised the issue with the client – We certainly won’t be taking on the hosting until it’s resolved!
Andy Flisher is a Software Developer based in the North East of England with over 20 years software development experience. He is available for hire and specialises in cross platform mobile app development, web applications, desktop software, bespoke cloud architecture solutions and providing outsourced project management services.