[saberworks]

I'm usually completely against using "apps" for anything, but does using an app (on mobile) protect against this type of thing? Does an embedded web view have access to the things you're logged into in your main browser on your phone? So does using my credit union app to access my account protect me from them getting all this info from my phone browser?

[netsharc]

Safer? I doubt it, apps can ask the Android system for list of installed packages, and list of currently running apps:

http://stacktips.com/tutorials/android/how-to-get-list-of-in..., https://stackoverflow.com/questions/3304685/how-to-get-the-l...

For example the Facebook app is a curious one. IIRC it also asks the system to notify it when a package (any package) is installed or uninstalled: https://stackoverflow.com/questions/11246326/how-to-receivin...

I guess they can easily track the popularity of apps like Snapchat or WhatsApp. Geez, also, identify any apps that are "going viral" in popularity, and either buy the company, or squash them through imitation...

[dpim]

On iOS, checking deep link url schemes (does user X have 'Gmail' installed on their phone?) is pretty straightforward albeit rate-limited.

[scarface74]

The typical embedded WebView is even less secure. The app containing the webview can see everything that you do within it -- including capturing login information for other sites.

At least with iOS, Apple introduced an out of process Safari View Controller that can share cookies, logins, etc with Safari inside an app, but doesn't allow the app to intercept what you are doing

[nathancahill]

Yes, it does, since apps are sandboxed better than web pages. There are a number of steps you can take depending on your browser: Disabling 3rd-party cookies prevents this attack. So does Firefox's Containers (or just private browsing) and other addons like uMatrix.