Securing WebViews with Chrome custom tabs (opens in new tab)

(blog.plaid.com)

54 pointsbjacokes6y ago13 comments

13 comments

11 comments · 3 top-level

Spivak6y ago· 4 in thread

I really wish the idea that apps need to open websites in-app would go away. Like it looks neat when you're demoing it for your coworkers but it just increases the number of taps since to do anything useful I need to open in in Chrome/Safari anyway.

If the in-app browser was just a window into actual Chrome/Safai (i.e. it's a real tab when you open Chrome/Safari and has your logins bookmarks, etc.) and you could "pull" the window into the foreground as a slick transition to the browser app then it would be fine, but as it's implemented it's mostly just annoying for everything but oauth flows.

goranmoomin6y ago

Hmm, that’s strange because I mostly find the ability to open websites in-app very useful: The context of how I was directed to the website exists in the app. I feel that if the site I’d moved to Safari, I eventually forget how I got to this site.

I think the problem isn’t in the WebView model - It’s probably that you have to use the browser to do something useful that WebViews can’t.

skavi6y ago

That’s exactly how chrome custom tabs on Android work. Moving the app custom tab to the browser does not even reload the page.

yunyu6y ago

Chrome custom tabs have access to your passwords and autocomplete history, for what it's worth

dbbk6y ago

This is essentially an Oauth flow...

hadrien016y ago· 4 in thread

What happens if you don't have Chrome installed on your device?

beverloo6y ago

Firefox and the Samsung Browser also support custom tabs. The default launching code will prefer your device's default browser.

szhu6y ago

> While not all users have Chrome installed, the vast majority do. For those who do not, we are using the browser fallback method described above (option 3); other than adding one line of code, we get the fallback for free from CCT. As noted before, the browser fallback is not the ideal user experience due to its latency, but it does maintain the high level of security that Plaid requires.

hadrien016y ago

Maybe I misunderstood the article, but the way I read this sentence is 'this is one of the four options we considered, and it wasn't implemented because of the UX'

whatsmyusername6y ago

> it does maintain the high level of security that Plaid requires.

When plaids infrastructure gets popped the fallout is going to be incredible. Hundreds of thousands of bank logins, ripe for the picking.

2 more replies

gruez6y ago

>[...] This opens the door for other apps to run malicious code, such as registering callbacks that try to intercept usernames and passwords. Additionally, a malicious app could open another web page that mimics the Link flow in a phishing attempt.

I'm not sure what type of threat model they have, but I don't see how this increases security at all. If the app is malicious, there's nothing preventing them from faking the CCT interface, or omitting it all together. It's not like users would be suspicious if they were asked for credentials outside of a chrome custom tab.

Ironically, Plaid is doing the same thing. Their login screen[1] is designed to look like you're logging into your bank, even though your passwords are sent in plain text to plaid.

[1] https://plaid.com/demo/?countryCode=US&language=en&product=t...

j / k navigate · click thread line to collapse