top | item 32416899

(no title)

I've meant to write a blog post about this, but here goes: In-app browsers allow users to view inappropriate content, often against the wishes of sensitive individuals. People especially at risk for this include addicts and children.

Nearly every app, even "safe apps" including children-rated apps, allow access to an in app browser. Even when iOs has locked down all access to Safari, a parent has removed access to all the "apparent" unsafe sites, there are still ways to access the unfiltered internet inside of these safe apps.

How? Usually buried in App Settings. Almost all apps use some instance of an in-app browser to (lazily) reference thier privacy policies, EULAs, or TOCs. A buried link leads to a homepage, leads to an instagram link, leads to an unfiltered internet. Yes they are long, inefficient paths to reach the internet, but curious (or motivated) individuals or children will use almost any app to reach the internet. Even boring apps like MS Teams or adding a Gmail account to iOS mail uses a secret in-app browser.

This obviously presents a problem: should developers restrict any and all app access to in-app browsers, or leave policing to individuals/parents? An easy approach is to disable the in-app browser functionality in iOs, but obviously with grave cost to developers. At the same time, at what cost is in-app browser functionality being implemented.

discuss

wepple|3 years ago

Tangential, but these same links have always been a great way to break out of poorly designed kiosk systems.

I recall noodling with a huge interactive display on the side of a bus stop that had an embedded map, and surely enough the TOS link launched a browser, and from there you could use the Save As dialog to get to anything to execute

orlp|3 years ago

As a kid I loved doing this in every museum/library/other place that always had 'locked down' interactive Windows systems back in my youth.

One of my favorite ones was in a museum where I was with a friend, and there was a PC. We were bored and wanted to play some flash game, but we only had access to a mouse, and clicking links inside the locked fullscreen browser. With enough clicks we got to google and managed to copy/paste letter by letter the name of a game site in the search field and play some games.

grishka|3 years ago

Also on Android-based kiosks, you can get into the OS through the on-screen keyboard if they're using it. Try long tapping the buttons around the spacebar, one of them would usually get you into system settings. From there you can as much as completely take over the device if you wish.

sirsinsalot|3 years ago

Novell Netware had a similar bug circa 1998 whereby pressing `F1` at the login screen of the terminal opened the help dialog, which opened links in IE ... from there the main Windows shell could be ran and bingo ... you're in.

ghayes|3 years ago

This is how I get to web videos on my Peloton. Viewing the mandatory software licenses leads to web links and then you can visit anything in that Chrome browser window.

CodeSgt|3 years ago

I'm glad to see someone mention addicts. I feel as if internet addiction, and especially subsets of it such as porn addiction, aren't given enough weight by either the addiction treatment community or the technical community.

Before someone accuses me of being a conservative religious zealot as tends to happen when anyone denounces porn, I'll say that I'm far from a puritan and am extremely liberal in my social views. That said, I firmly believe that easy access porn is one of the worst things happening to the young men and women today. I (23) know many men around my age who suffer from chronic porn addictions to the point that it severely impacts their ability for form real relationships and median age of first exposure is getting lower and lower.

It's an absolutely crucial issue that no one seems to be talking about or taking seriously.

d110af5ccf|3 years ago

You claim to be extremely liberal in your social views but then in the next breath make the assumptions that difficulty forming relationships today is significantly greater than in the past and further that this fact is due to effects that are caused (ultimately) by viewing porn. Those are both very socially conservative viewpoints and I have yet to find scientific data (or anything else I'd consider even remotely reliable) that back either of them up, particularly the second one.

If I were to accept (purely hypothetically) that it is significantly more difficult for many people to form relationships today then how do you suppose to show that this change is due to porn instead of, say, the prevalence of dating apps such as Tinder? Or any number of other factors including things like job stability, housing prices (and thus perceived security of living situation), and where people choose to spend their free time (for example going out on the town in the past versus perhaps doomscrolling twitter and watching netflix).

Zababa|3 years ago

> It's an absolutely crucial issue that no one seems to be talking about or taking seriously.

Most men communities talk about it in one form or the other. However, most men communities on the internet are usually close in one form or another to the right politically.

flappyeagle|3 years ago

What does it mean to be addicted to porn? Daily viewing? Hourly? Constant?

b3morales|3 years ago

Granting the facts, your hypothesis is equally plausible if reversed, to wit:

People who have difficulty forming intimate relationships will often turn to habitual pornography viewing.

michannne|3 years ago

We used to exploit these types of paths when school IT admins didn't know how to filter traffic properly but knew to block proxies.

LegitShady|3 years ago

There was a period of time at my high school where we would compile a default browser app in Borland c++ and it would let you access whatever it wanted. They noticed because they got proper filtering after that...

smoldesu|3 years ago

Or maybe... just don't give your kids an iPhone?

Seriously, using the internet/computers should be treated with the same level of caution as grown-up scissors or fillet knives; powerful tools, but they need training to avoid hurting yourself with them. If this is what you're worried about, why are you even giving them a small computer in the first place? Your kids will always be more cunning than your security policy (a hard pill to swallow for HN users), so control their access to technology unless you're ready to have a serious sit-down discussion about the internet, personal privacy, and all that jazz. Put yourself in their shoes; if you're given a small black brick with an indeterminate number of capabilities, wouldn't your response be pushing it as far as it can go? I know that was my reaction when I was a kid, after buying a Pentium desktop at a garage sale.

bigfudge|3 years ago

Says someone who doesn’t have kids. I really don’t think it’s a big empathetic leap to imagine that young teens would want to take part in the modern world, and that includes some access to the internet.

And no, constant supervision is not an appropriate answer. Teens will want to research some things without their parents’ knowledge. That’s normal.

But it doesn’t mean that we should throw our hands in the air and make no effort to protect the majority of kids from the worst of the internet. Yes some bright sparks may find ways to circumvent the controls, but it at least makes it harder for them to send a disguised goatse link to their friends.

Minor49er|3 years ago

I wish this was still considered to be common sense

jacquesm|3 years ago

Brilliant insight. Could you please convince my children's school that they do not need a smartphone? Because they f'ing mandate it and I have not found a way around this yet.

underwater|3 years ago

This is such a naive take. I assume you don't have kids or teens?

Children don't exist in a neat subservient bubble. They have peers, social pressures, see advertising, consume television and movies.

Our kid's school had everyone buy an iPad. Already, at pre-phone age, so much socialisation has moved into the digital space. FaceTime, iMessage, Roblox, etc.

I was going to say banning phones would be like a kid in the 80s without television. But really it would be like being a kid in the 80s who wasn't allowed to have a TV, listen to the radio, have a phone line, and wasn't allowed to socialise outside of school.

TedDoesntTalk|3 years ago

They’re given chrome books in school and can’t complete assignments without them. Now what?

chinchilla2020|3 years ago

You don't have kids.

Your child would be the only one at school with no phone and probably be pretty embarrassed about it.

ars|3 years ago

You can't live in today's world without a phone.

All the mechanisms of the past that were geared for this no longer exist.

For example: Drive on the road, get to a toll, don't have a Transponder to pay the bill? No problem - just call a phone number. Uh, what if I don't have a cell? This literally never even occurred to them, there is no alternative way to pay the bill.

That's life today, and it applies to children as well. Want to go to some sports place that only caters to teens and above? Load this website on your phone and fill out an application. Don't have a phone? Borrow a friends phone.

davet91|3 years ago

The in-app browsers could use a domain whitelist if parental controls are turned on.

yowzadave|3 years ago

Shouldn't an in-app browser whose sole purpose is to read an app EULA/TOC/etc. always employ a domain whitelist, regardless of parental controls?

adaktix|3 years ago

It shouldn't be a parental controls thing for IG, it just needs to be made so when you're using an in-app browser, you're using it for one reason, whatever site you clicked on. Leaving the domain ends the process or opens in another browser.

graham1776|3 years ago

That could be an "easy" fix where you could disable use of in-app browsers through Screen Time options.

gowld|3 years ago

The OS should apply a domain whitelist to apps, in coordination with the app developer and the device "owner". (Like uBlock Matrix)

xfitm3|3 years ago

Doesn't the harm of surveillance outweigh the harm of viewing "inappropriate content"?

Think of the addict is a new one, but I am automatically suspicious any time someone cites child protection.

goda90|3 years ago

I think you're seeing this as a "take away this choice from society to protect the children" kind of deal, but to me it seems more like the argument is to give choice to parents and addicts to control their own devices more completely. All other things being equal, why would a consumer want to not be able to control both the browser and in-app browsers as much as possible?

Fogest|3 years ago

I have a browser based game I play that makes use of many userscripts and browser extensions to further improve/enhance the game. However mobile users suffer from a problem of not having such extras. There is a very nice app someone made on Android and iOS that uses in-app browsers in order to be able to add a lot of custom things.

There are many useful instances for the in-app browsers and I don't think they should be removed because of some bad actors. It's similar to how Android has had password managers making use of autofill tools via accessibility tools. Android was butchering that access, but luckily started adding some official autofill support.

I don't think removing capabilities in the favour of "safety" is usually the right approach in my opinion.

celtain|3 years ago

Most of the usecases mentioned in this thread wouldn't suffer if the in-app browser had to be invoked with a whitelist of approved domains/urls. Perhaps apps could request permission to run an unrestricted in-app browser, and that could be used to facilitate parental controls.

As an aside, is giving parents the option to disable in-app browsers removing a capability or adding one?

RainaRelanah|3 years ago

Mind if I ask what game?

Kiwi on Android is a Chromium fork that re-enables extensions on mobile. Works well for userscripts/extensions, though often times those UIs don't scale well to mobile.

aaaaaaaaaaab|3 years ago

Ok guys, you’ve heard it, there’s an app that uses in-app browser to let you play some browser-based game! I guess we’ll just have to accept the status quo, otherwise the mobile players of this niche browser-based game would be inconvenienced!

registeredcorn|3 years ago

Interesting! This reminds me of the classic Windows 95 bypass. You abuse the help screen to gain access to the desktop without having to login.[1]

I'm currently going through HTB Academy and once you mentioned unsecured in-app browsers, the first thing I thought of was either a Web Shell[2], or better yet, directing the in-app browser to a malicious website to download additional software to better exploit the phone. If the in-app browsers aren't filtering explicit content, I have to assume they aren't filter malicious content either.

If this isn't already a well-known route of exploitation, I'm interested to see how that might change in the near future. It sounds surprisingly easy to exploit, provided you can get momentary physical (remote?) access to the phone for a short time.

[1] https://www.youtube.com/watch?v=1UfNlRe-goY [2] https://en.wikipedia.org/wiki/Web_shell

franga2000|3 years ago

If someone is knowledgeable and committed enough to dig through all their apps, find any in-app browsers and try to break out onto the web, they will also realize that simply using another device will bypass all your silly blocks.

amenghra|3 years ago

In the early 1990s, we used to break out of Macintosh's AtEase at our middle school by writing a two line MacBasic program which launched Finder. We would then bring games on floppies. Everything old is new again!

Forgeties79|3 years ago

> Yes they are long, inefficient paths to reach the internet, but curious (or motivated) individuals or children will use almost any app to reach the internet.

I don’t think this can be overstated. How many people tell you stories of watching signal-scrambled porn on TV when their parents are asleep? How many of us waited until our parents are asleep to play video game late at night? How many millions covertly downloaded Napster/Kazaa/etc. and downloaded 30 versions of a song before they finally got the one they wanted?

Being “motivated” as a kid or a teen is a low bar.

qwertox|3 years ago

I think on Android they could use Chrome Custom Tabs [0] instead of WebViews. IIRC this also protects the browser content from being accessed by the hosting app, but there is still a limited communication which is possible between the app and the tab.

[0] https://developer.chrome.com/docs/android/custom-tabs/

nodamage|3 years ago

> Nearly every app, even "safe apps" including children-rated apps, allow access to an in app browser. Even when iOs has locked down all access to Safari, a parent has removed access to all the "apparent" unsafe sites, there are still ways to access the unfiltered internet inside of these safe apps.

Last time I checked, WKWebView will follow the parental control settings set on the device.

O__________O|3 years ago

Reminds me of stories I have heard about users of computer systems with “strong” access controls figuring out ways to make it to unfiltered internet; examples include: student/prisoner computer labs, public libraries, flight entertainment systems, public kiosks, operating system logins, etc.

rahkiin|3 years ago

It is interesting how this would apply for custom browser engines in the future of iOS.

CharlesW|3 years ago

This class of security problem is also a great reason to never allow custom browser engines.

t8ty2evj|3 years ago

This seems like a non-issue. Where's the damage? I'm tired of people using children and a miniscule population of users w/ severe content sensitivities as excuses to justify features that are really just tools for asserting norms. The children are fine. We've been talking about how bad the internet is for children so long that those children grew up, led fufilling lives, had their own children, and now those children are apparently being ruined by the internet. What children need isn't more protection it's an escape hatch from all the forces trying to manipulate them during their most vulnerable years.

cercatrova|3 years ago

I have to agree here. "Think of the children" is an excuse as old as time.

goda90|3 years ago

>What children need isn't more protection it's an escape hatch from all the forces trying to manipulate them during their most vulnerable years.

Isn't addicting content a force that's trying to manipulate them? Porn, certain kinds of games, online gambling, etc can all get their hooks in someone. Prevention is better than having to fight the addiction in the first place, is it not?

polote|3 years ago

A feature doesn't become a problem because 1% have an issue with it (people who use parental control).

The internet is the internet if you want to restrict what people can see on the internet the only solution is to not have access to it at all

bigfudge|3 years ago

Do you have kids? It’s really not easy to withdraw all internet access without substantially disadvantaging them. But I don’t want them reading 4chan either. Anything which makes that less likely without fundamentally breaking things is welcome to me.

j2bax|3 years ago

Why don't you just make sure there are no unsavory links on whatever page you are using the in-app browser for and disable/hide the address bar so they can't just jump onto the open web? Seems like you can have your cake and eat it!