Opinion • furbo.org • Page 4

In-App Browsers Considered Harmful

How many apps on your iPhone or iPad have a built-in browser?

Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?

Here is a proof-of-concept (ZIP file) that shows how an app can do this. For those of you who don’t have Xcode installed, here’s a video that shows what’s going on:

A few things to note about what you’re seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.
This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them.)

OMFG APPLE IS HACKING ME

No, this is not a WebKit bug.

The Shadow DOM does a great job of protecting static user content on a web page. It’s not possible to use JavaScript to view the contents of an input field on iOS since the current value attribute is actually being held in a platform-native control. The value of that control is uploaded when the user submits a <form>.

I don’t know for sure, but I suspect that the keyCode attribute of the KeyboardEvent in the JavaScript event handler is provided for backward compatibility. This API has been deprecated but there are still plenty of web pages out there that use it to handle keyboard input.

In fact, both the techniques shown in the sample app can be used for good as well as evil. Changing the content of a web page is a good thing when it’s done to make a page more readable or accessible. Handling keyboard events can also guide a user through a complex form or make viewing a slide show easier.

These are not inherently bad web technologies. The problem is that an iOS app has as much access to these technologies as the developer of the web page.

OAuth To The Rescue. Or Not.

Websites have been dealing with username and password attacks for as long as there have been <input> fields on their pages. One of the primary goals of OAuth was to keep a user’s login information away from an external website or app.

OAuth does this by exchanging cryptographically signed tokens between the site where the user has an account and the app or web service that wants to access that account. A key factor in making this secure is that the exchange of these secure tokens is done through a trusted channel: the user’s web browser. Twitter has required third-party developers to use OAuth since 2010.

As early as 2008, the developers of OAuth recommended the following:

We’re trying to ensure that users are only exposed to the safest way to disclose their location using OAuth. To do this, it’s critical that a fundamental principal of browser-based authentication is followed; that the contexts of the third party application and the web service authentication remain separate. To allow users to grant trust to an application, they must perform the OAuth action within their web browser, not within the applications themselves. Otherwise, there is no way to verify the identity and authenticity of any page which asks for their username and password. Users must not ever enter their username and password into a third party application when a browser-based authentication API like OAuth is available.

There is always a tradeoff between usability and security. Doing the OAuth token exchange with an in-app browser makes it easier for a user to login, but they’ll have no idea if their personal information was captured. That is why Twitterrific did its token exchange in Safari, even though it’s a more complex user interaction and a more difficult technical implementation. As a user, I know that there’s no way for my login to be compromised when the transaction involves Safari.

Unfortunately, Apple’s current App Review policy does not agree with this recommendation or with Twittterrific’s previous implementation. This is why our update for iOS 8 was delayed—it was the first time since the launch of the App Store that we haven’t had a new version on release day.

(Apple folks can learn more about this situation by reviewing Radar #18419943)

Recommendations for Apple

Apple has taken a strong and welcome stance on privacy. They’ve recently been implicated in some high profile attacks so they definitely have skin in this game. Hell, they even want to protect us from the US government watching what we do online!

There’s no denying that the behavior demonstrated above could be very harmful in the wrong hands. It’s also Apple’s job as the gatekeeper for iOS to keep malicious apps out of the App Store. But how?

I don’t think it’s feasible to catch misbehaving apps at review time. There are a huge number of apps that need to be reviewed every day, especially when new versions of iOS are released. Many of these apps use in-app browsers which would require extra time and effort to vet. Longer review times benefit no one: developers, Apple and our customers need timely updates.

It’s also very easy to an app to hide any nefarious activity. JavaScript has an eval() function that makes it easy for code to be obfuscated and very difficult to be checked at review time. Look at this page and see if you can guess how the uppercase text was created. Then view the HTML source and see how wrong you were.

Additionally, an app that wants to collect your information can easily implement a remote switch that disables the functionality while the app is in review. App reviewers won’t stand a chance.

Changing how WebKit and UIWebView behave isn’t practical either. To prevent this keylogging technique, Apple would need to release a new version of iOS for each version that included Safari and WebKit. Do you really think they’re going to do a point release of iOS 3?

And this brings me back to protecting users with OAuth. It’s designed to avoid these problems and works well to maintain privacy. Granted, it goes against section 10.6 of the App Store Review Guidelines, but in my opinion, this is a case where user security trumps usability. Apple should change their policy for apps that use OAuth.

Recommendations for Users

Another goal of this essay is to increase user awareness of the potential dangers of using an in-app browser. You should never enter any private information while you’re using an app that’s not Safari.

An in-app browser is a great tool for quickly viewing web content, especially for things like links in Twitterrific’s timeline. But if you should always open a link in Safari if you have any concern that your information might be collected. Safari is the only app on iOS that comes with Apple’s guarantee of security.

(For the record, we never collect any private information in any of the Iconfactory apps. And we never will.)

Written on September 24th, 2014 for Design, Development, Observation, Opinion

Confidence

We witnessed something amazing yesterday: a WWDC keynote that will be remembered for a long time. And not for the reason you might expect.

As developers, it’s easy to focus on the fantastic software that was announced: a UI refresh that’s getting a thumbs up from designers and developers alike, great new user-facing features in iOS and OS X, and literally thousands of new APIs that let developers do new and amazing things with their apps. We even got a new programming language!

**BLINK**

But that all pales in comparison to the undercurrent for all these changes: Apple has a newfound confidence in itself. It’s at the top of its game, and it knows it.

This is personified by the man who ran the show: Craig Federighi. It was only four years ago that we first saw him on stage at an Apple event. His shaking hand is still painful to watch, especially if you’ve felt that same fear while giving a presentation on stage. Yesterday, we saw a different man, one that owned the stage and the products being presented.

With this confidence, we’re starting to see some important cultural change in the company.

Legal agreements that lets developers talk about technologies without breaking confidentiality.
Opening up proprietary technologies like iCloud: providing more transparent access, without hiding things through opaque APIs.
Improvements to the App Store that give developers better ways to manage and sell their products.

This confidence manifests itself in many ways. When was the last time you heard an Apple executive tout the best product line he’s seen in 25 years?

In short, with confidence comes a new kind of openness. As developers, we’ve always struggled with a company that doesn’t want to give anything away. Yesterday, that started to change.

Written on June 3rd, 2014 for Business, Development, Observation, Opinion

It’s the Production Line, Stupid

“Apple Absolutely Has To Make An iPhone With A Bigger Screen”

(Warning: Business Insider link)

While that may be true, take a look at what happened at the end of last year: 47.8 Million iPhones Sold.

That’s a shitload of iPhones. But how many is a shitload?

47.8M iPhones
/ 90 days = 530K per day
/ 24 hours = 22K per hour
/ 60 minutes = 369 per hour
/ 60 seconds = 6 per second

That means that every second of every day you need six cases, six headphone jacks, six LCD screens, six batteries, six CPUs, six 10µf capacitors, six 10kΩ surface mount resistors, and thousands of other components.

Look at where all the leaks about new products come from: it’s always the supply chain that produces all these components. This should give you an idea of how many partners are involved.

Basically, Apple creates a pipeline that produces devices at an amazing rate. And it’s a finely tuned machine with a lot of inertia. You don’t just walk in and say, “Hey, let’s change the screen!” Doing so would throw that machine out of balance: a new screen means that some of the components (like the headphone jack) don’t change, while others would (the case, for example.)

A finely tuned production machine takes a lot of time and money to set up. Take a look at Apple’s capital expenditures. A mere $10B in 2012.

These capital expenditures show that Apple is planning ahead. At least 2-3 years, maybe more. You don’t just walk into Foxconn and ask for 50M iPhones. You need to predict the future.

Sure, it would be great to have a larger screen iPhone from what is known about current market conditions. But was a larger screen a sure thing 2-3 years ago? While you were falling in love with the new Retina display on your iPhone 4, I bet you weren’t thinking “Man, this display has got to be bigger!”

The cost to setup that production line is also a part of the final cost of the device. More frequent changes to the production line means that each device costs more or earns less profit for Apple.

As Apple continues to sell ever more devices, I see two things that could happen:

A broader range of products (meaning more, smaller production lines to spread the demand)
Increase the size of the production lines along with amount of time they stay online (meaning new devices are introduced every three years instead of two)

Given the highly competitive nature of the mobile space, I suspect we’ll see the first option come into play in the coming years. In the meantime, screens tick, while speed tocks:

For people wondering why there's no larger screen this year: 3GS -> 4 = Retina 4S -> 5 = Tall 5S -> 6 = Large Screens tick, speed tocks.

— Craig Hockenberry (@chockenberry) August 14, 2013

Written on August 15th, 2013 for Business, Miscellaneous, Opinion

AMBER Alert Usability

If you live in the State of California, you got an AMBER Alert last night just before 11 PM. If you have an iOS device, you saw something like this on your lock screen:

Or like this in Notification Center:

And if you’re like most people, you had no idea what it meant. Considering it’s a broadcast to locate missing children, that’s a bad thing. Let’s examine the usability of this alert and think about how this system can be improved.

Updated August 6th, 2013: Lex Friedman has written a great summary of AMBER Alerts at Macworld. Among the revelations: the text of the messages are limited to just 90 characters!

First Impressions

In our household, there are many iOS devices. At the time of the alert, we were in the living room with two iPads and an iPhone. The alert’s sound is designed to get your attention, and that it did!

Both my wife and I gave each other that “what the hell is wrong” look as I grabbed my iPhone from my pocket. Turns out we weren’t the only ones who were frightened by the sound:

That Amber Alert tone you received on your cell phone might have scared some of you but we need all eyes out for this http://t.co/w9hfIq7Y2p

— CHP Southern Div. (@CHPsouthern) August 6, 2013

My wife’s first question as I looked at my phone was “Are we having a tsunami?” (we’ve had these kind of emergency broadcasts before.) I replied with, “No, It’s an AMBER Alert”. To which she replied, “What’s that?”

And therein lies the first problem: I had no idea.

Unlike all other notifications on my iPhone, I couldn’t interact with the alert. There was no way to slide the icon for more information or tap on it in the Notification Center to get additional information. Through a combination of Google and my Twitter timeline, I eventually figured it out:

Given the confusion I'm seeing on Twitter, it's really stupid that you can't tap on the AMBER alert and get to this: https://t.co/ghAxdSQbun

— Craig Hockenberry (@chockenberry) August 6, 2013

But I was also seeing a lot of people on Twitter whose response to the confusion was to ask how to turn the damn thing off. And since AMBER Alerts aren’t affected by the “Do Not Disturb” settings, a lot of people went to Settings > Notification Center so they wouldn’t get woken again in the future.

That’s exactly what you don’t want to happen when a child is abducted.

Alert Text

In looking at the message itself, it’s hard to tell what it’s about. Starting an alert with an acronym may make sense to the government, but there’s wording that could resonate much effectively with normal folks:

Most folks have no idea of the reason these are called Amber alerts. Just call them “Missing Child Alert”. Watch everyone take notice.

— Michael Jurewitz (@Jury) August 6, 2013

It’s also hard to tell if this is a problem with “Boulevard, CA” or a “Nissan Versa”. And where is Boulevard? And what does a Nissan Versa look like? Who do I call if I see license 6WCU986? In summary, this notification provides more questions than answers.

This one image has answers to all of these questions and more. Why can’t I see that image after tapping on the notification?

The Alert Sound

As I mentioned above, the sound definitely let us know that something was wrong. But we were sitting comfortably in our living room. A friend of mine was driving at the time and probably listening to music from their iPhone on a car stereo. Being startled at high speed is dangerous:

We got the amber alert while driving last night. It almost caused an accident due to us panicking over the bizarre klaxon sound.

— Jonathan Wight (@schwa) August 6, 2013

Unlike the devices that existed when the AMBER Alert system was first introduced in 1996, our iPhones and iPads do a lot more than calls and texts. Music and video are immersive activities and hearing a loud horn can be a cure that’s worse than the disease.

Also, we’re all conditioned to immediately look at our phone when the normal alert sounds are used: a simple ding would have gotten just as much attention.

Do Not Disturb

And what the heck is up with this crazy sound happening if Do Not Disturb is turned on? Dammit, it’s my phone and I get to tell it what to do. Stupid Apple!

Well, take a look at your government first:

@janeylicious @drwave It’s government dictated/mandated as-is.

— Tyler Hawkins (@iphone_tyler) August 6, 2013

@iphone_tyler @drwave @chockenberry @Jury Emergency and AMBER alerts are specifically exempt from DND.

— Morgan Grainger (@morgangrainger) August 6, 2013

And if you want the details, it’s only going to cost you $205 to download:

@drwave @chockenberry @Jury Looks like the specification requires (an expensive) purchase… https://t.co/QqCXJnjuaA

— Tyler Hawkins (@iphone_tyler) August 6, 2013

Bottom line: these bugs aren’t going to be easy fixes.

(And if you think getting woken up because of an AMBER Alert is such a terrible thing, why don’t you explain your pitiful situation to this boy’s parents.)

File A Radar

Even though these bugs probably aren’t Apple’s direct problem, I’m still going to file a bug report. If you have a developer account, please feel free to duplicate that Radar.

Apple is in a very unique position to address these issues:

It has direct access to millions of customers and their mobile devices.
It employs many people with a deep understanding of how mobile devices are affecting our lives.

This is clearly a problem where cooperation between Apple, the Department of Justice, and the public can improve a system where everyone benefits. Better usability with AMBER Alerts is case where “think of the children” isn’t a trite platitude.

Written on August 6th, 2013 for Design, Development, Observation, Opinion

Been There, Done That

We’re all thinking a lot different today.

Designers and developers alike are coming to terms with Apple’s latest iteration of iOS. As I tweeted just before the announcement, there is only one way to describe it:

shock |SHäk| noun
• a sudden upsetting or surprising event or experience.

Those of us who’ve been around awhile had a similar experience 13 years ago. Apple switched from the Classic interface in Mac OS to a new Aqua interface. As fate would have it, I was in the room with some of my colleagues when Steve Jobs introduced a UI “that you wanted to lick.” We all left that keynote in the same state of shock as we experienced yesterday.

I think it’s useful to look at the history of Aqua while thinking about the future of iOS 7.

Some designers are saying that the new look is “over the top.” The same thing was said about Aqua over a decade ago. And in succeeding years, that original UI has continuously been refined to what we see today.

We’ve become accustomed to Apple’s incremental approach which continuously refines their products. This is typically an additive process where new features are included or existing ones are improved.

But with major user interface changes such as Aqua or iOS 7, Apple has another tendency: they overshoot the mark. Their incremental approach then becomes one where unnecessary items are removed (such as Aqua’s stripes) or improved (excessive shadows and transparency are toned down.)

There’s a good reason for this: it’s much easier to take away elements from a design than it is to add them. Simplicity is achieved by removing that which is not really needed.

One parallel with iOS 7 and Aqua that I don’t expect to see: an evolution that takes over a decade. There are a couple of reasons for this.

The first is that the pace of development for iOS is much faster than we’ve ever seen for OS X. Ask any developer and you’ll hear the same thing: it’s a constant struggle to keep up with Apple’s improvements on iOS. Shit happens, and it happens quickly.

Another is the amount of time Apple’s designers have had to work on this project. The decision to put Jony Ive in charge of the interface design happened in October: a mere eight months ago. A major overhaul of a system-wide interface takes much longer than that.

It would not surprise me to learn that the developers had a very short time with the graphical assets we saw yesterday (think in terms of weeks.) This would also explain why the first beta is only available for smaller screens. The development work to support larger screens is relatively easy, but specifying the layouts and generating the assets is much harder.

Another important aspect to consider is the conditions where this new user interface was being evaluated. Every iOS developer who was using iOS 7 prior to yesterday’s announcement was using a security screen. These screens distort the colors and other elements on screen. Try looking at your laptop screen with polarized sunglasses and you’ll see what I mean.

Apple’s “doubling down on secrecy” also played a part. No friends or family were able to see an engineer’s work-in-progress. It’s likely that no one outside the engineering organization was able to give feedback on what they saw. I can think of a few types of users where this kind of criticism is essential: kids that can’t read, friends with vision impairment and parents with failing eyesight.

The good news, and reason I think that we’ll see many improvements before the fall, is because these kinds of surface changes are relatively easy to implement.

Which leads me to my final points: what are the most exciting parts about what happened yesterday?

It’s hard to tell from the keynote, but all of the interactions that surround the app you’re using are vastly superior. Unlike the visual redesign, the work on Springboard feels more mature. It’s likely that work has been underway for a much longer period of time (probably before last year’s WWDC.) Moving around in iOS is so much more fluid and natural.

Like with Aqua, these fundamental changes in how things work will stick around for a long time. We may complain about how things look in the short term, but improvements in usability will be something that we value much more in the long term.

But more importantly, and more subtly, is the change of focus within the apps themselves. In the design of Twitterrific 5, we went through the process of figuring out what content was most important and then designing controls around that information. Previous designs focused on the control structure first and then filled it with content.

(It’s also interesting to note that apps like Twitterrific and Vesper, which take this content-centric approach, also immediately feel at home on iOS 7.)

It’s clear that Apple’s designers have done the same thing: their focus has shifted towards content. I can’t wait to see what happens to the iOS ecosystem when other designers and developers follow their lead. That path forward won’t be easy, but it will take the platform to a whole new level. Yet another example of “can’t innovate any more, my ass”.

Written on June 11th, 2013 for Design, Development, Opinion

Category: Opinion