krausefx / inappbrowser.com Goto Github PK

If app injected codes like

    var originGid = document.getElementById
    document.getElementById = id => {
        console.log('document.getElementById', id)
        return originGid(id)
    }

InAppBrowser.com will not be able to detect it unless the page calls document.getElementById('someid')

This can be solved by something like this: iwestlin@87aec98

However there is still a problem: if the injected code also uses Object.defineProperty to overwrite properies, this won't be able to detect it...

Maybe we could use window.addEventListener('error', ...) to catch errors and extract injection info from it,
if we set configurable: false to Object.defineProperty ...

If the injected JS code is like the following:

alert('cookie: '+document.cookie);

This site is not able to detect it, and it will still shows green message.

Cookie stealing is concerning, in case for example you tried to log-in to a site (within in-app browser), the host-app can inject malicious JS code to steal cookies, which essentially will steal your login session.

Currently have no idea on what to do, haven't check the repo code, just informing this behavior for now.

Optional: More background on this concern.

As far as I know iOS apps can inject code to be executed via WKUserScript as an alternative to evaluateJavascript and InAppBrowser.com cannot detect that since the injected code might run before the code of the web pag. See example code below:

let configuration = WKWebViewConfiguration()
configuration.allowsInlineMediaPlayback = false
let interceptorScript = WKUserScript(
       source: "window.fetch = () => {console.log(`fetch`)}; window.Promise = () => {console.log(`Promise`)}; window.addEventListener = () => { console.log(`addEventListener`) }",
       injectionTime: .atDocumentStart,
       forMainFrameOnly: false
)

configuration.userContentController.addUserScript(interceptorScript)
let webView = WKWebView(frame: .zero, configuration: configuration)

injectionTime: .atDocumentStart here means that this code will be executed immediately after document element is created but before any other script is executed. This means that app side can override almost any primitive/built-in present in the page and do whatever they want with them (like listening for certain things and transferring information back to the app.).

See: https://developer.apple.com/documentation/webkit/wkuserscript