I was going through this link and they mentioned that:
In a WebView, any malicious code in the page has the same rights as the application. This means you need to make sure to only load trusted content. But there is another risk–a malicious app may also have access to browser content (like cookies) and may snoop passwords or intercept OAuth codes.
I was wondering why would Facebook implement WebView then if it had security vulnerabilities.
Is it good to use WebViews in React native mobile application?
Related
I'm working on an app that (for now) is essentially a WebView wrapper over an existing website.
There are social logins there, but when you click on them in the context of the app, the oAuth providers say the WebView user agent is not allowed. This is because in 2021 oAuth stopped allowing social logins via WebViews due to the risk of key-logging. I messed around with spoofing the user agent, but that both felt wrong and also didn't work for all social logins.
What would you recommend doing in this situation? My goal is to somehow allow people to log in with Google/Facebook. I'm open to ideas - e.g.
implementing native login solutions and passing tokens back to the main site the WebView
opening an external browser and doing the login action in this higher security area
Where I'm having trouble is the specifics of making this all connect together. If anyone has any experience here, I'd love to hear from them.
We run some dash apps in dockers, and we want to embed them into our platform (it's built with React for UI and Flask for API server). Our platform use Flask JWT for authentication. What's the best way to secure the embedded dash apps?
We are thinking embed the dash apps by using iframe. We want user to login to our platform to use the dash app. When user uses the dash app via our platform, user will not be asked for username and password again. But if user copies the dash app url to another browser, user will be ask for login(to prevent the url to be shared). How to do it?
thanks!
when login using Auth0 Webauth in React-Native it opens the browser for login.
I want to create a smooth login so that the user should not able to experienced whether I logged in using App or Browser jut like a webview anyone any idea?
Just to be clear are you asking if Auth0 supports doing this without a browser? Given that it's likely using OAuth2 or OpenID Connect then the short answer is no.
Further to that WebAuthn is a browser-based Javascript API so by definition would require a browser with these features to be available.
That said, there's probably nothing preventing you from implementing a native WebAuthn-like experience using CTAP2 (the protocol that sits underneath WebAuthn) directly or a platform-specific wrapper around the same.
I am trying to test a react native app on android which uses a native library which does oauth-based authentication using a webview. Detox does not support webviews (yet) so I was wondering if I could tap on the keyboard using coordinates in order to get through the auth (bad I know, but gets me unstuck for now).
Since the oauth screen is outside your app, I'd recommend you do the following:
Create E2E tests for your login up to the oauth screen
Get a CLI for your oauth provider or figure out how to authenticate via node.js to get the auth token
Create a deep link path in your app that accepts the token as a param and stores it the way you'd store it normally and trigger a continuation of the login flow (you may need to reverse engineer your native lib slightly)
This is generally the approach you want to take if you are using an external authentication party. If the party providing the auth package doesn't support 2 and 3, you should raise the issue with them.
Update: It appears Twitter has fixed this issue. Clicking the authorize button now works! Thank you all for the responses.
I have a UIWebView that opens and directs to Twitters Oauth/Authorize webpage. The user signs in with there Twitter details and authenticates the use of our application with there Twitter account. This process worked perfect before the release of Twitter 6.37 iOS application. What happens now is when the WebView detects https://twitter.com/oauth/authorize?oauth_token instead of staying in the WebView it opens the native Twitter application and dies. If you uninstall the Twitter application everything works as usually it staying within the WebView. How can I prevent this from happening? I want to stay within my UIWebView and not automatically open deep links. I have been reading about the new URL deep link changes in iOS 9, but not sure of how to stop them from my application to other native applications. Thanks for any help!
As a workaround, in twitter authentication screen we can use the Go button on iOS typing keypad instead of using the sign in button on web view until twitter fixes.
Please refer the attached screenshot link for clarity.
Screenshot for the workaround
I ran into this issue as well and figured out it was because my authorize endpoint was set to https://twitter.com/oauth/authorize?oauth_token="+oauthToken (I believe this was in the original documentation). If you add api as the subdomain: https://api.twitter.com/oauth/authorize?oauth_token="+oauthToken, it will no longer trigger the deep linking and load the twitter app.
My answer to this via a Xamarin question:
Unless Twitter removes/updates the apps section of "https://www.twitter.com/apple-app-site-association" to allow a bypass or a secondary oauth that is not in the apple-app-site-association file I do not see how you would do it. These files are signed and iOS handles them at an OS level.
I have not played around very much with the continueUserActivity delegate and the NSUserActivity object that is passed to apps launched from UNI links, but I do not see a way for the launched app (i.e. Twitter) to return control to the original app, and at that point the oauth call-chain would be broken anyway....
Unique. Unlike custom URL schemes, universal links can’t be claimed by other apps, because they use standard HTTP or HTTPS links to your website.
Secure. When users install your app, iOS checks a file that you’ve uploaded to your web server to make sure that your website allows your app to open URLs on its behalf. Only you can create and upload this file, so the association of your website with your app is secure.
Via: https://developer.apple.com/library/prerelease/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html
I would report as an issue (bug?) to Twitter's Dev forum: https://twittercommunity.com