Doesn't this open up a bit of a privacy issue? Couldn't you scrape logged-in data from someone's social media accounts etc? Maybe I'm misinterpreting things...
I could see iOS 9.1 having a permissions dialog for "<app name> wants to access <certain domain list> while you use the app" to prevent that from happening. Until then, I could see this feature being inevitably abused.
OP here. iOS 9's SFSafariViewController, unlike UIWebView or WKWebView, runs out-of-process and cannot be data-scraped. Beacause of this, SFSafariViewController shares cookies with Mobile Safari. The use-case here is essentially loading a special URL on the website that will take any logged in session and return back an oAuth token that the native app can use.
The communication method in the demo is as if you were talking indirectly with Mobile Safari, using a custom url protocol (e.g. fooapp://), or by using the new (safe) Universal links (apps can register specific domains/urls that will redirect back to the app, using their Associated Domains entitlements).
[+] [-] numair|10 years ago|reply
I could see iOS 9.1 having a permissions dialog for "<app name> wants to access <certain domain list> while you use the app" to prevent that from happening. Until then, I could see this feature being inevitably abused.
[+] [-] rizwan|10 years ago|reply
The communication method in the demo is as if you were talking indirectly with Mobile Safari, using a custom url protocol (e.g. fooapp://), or by using the new (safe) Universal links (apps can register specific domains/urls that will redirect back to the app, using their Associated Domains entitlements).
[+] [-] taylorhughes|10 years ago|reply