[numair]

Doesn't this open up a bit of a privacy issue? Couldn't you scrape logged-in data from someone's social media accounts etc? Maybe I'm misinterpreting things...

I could see iOS 9.1 having a permissions dialog for "<app name> wants to access <certain domain list> while you use the app" to prevent that from happening. Until then, I could see this feature being inevitably abused.

[rizwan]

OP here. iOS 9's SFSafariViewController, unlike UIWebView or WKWebView, runs out-of-process and cannot be data-scraped. Beacause of this, SFSafariViewController shares cookies with Mobile Safari. The use-case here is essentially loading a special URL on the website that will take any logged in session and return back an oAuth token that the native app can use.

The communication method in the demo is as if you were talking indirectly with Mobile Safari, using a custom url protocol (e.g. fooapp://), or by using the new (safe) Universal links (apps can register specific domains/urls that will redirect back to the app, using their Associated Domains entitlements).

[numair]

Aha! So the web view "redirects" back into the app using an app:// link -- and because you're accessing that web view within the app itself, the redirect is captured within the app. Smart. I assume there is some sort of delegate thing that handles the browser events? Would it intercept the deep link or does that hit the app delegate?

Thanks for the awesome insights by the way.