Bug 184791 - REGRESSION(iOS 11.3): UIWebView drops connections when the app is backgrounded
Summary: REGRESSION(iOS 11.3): UIWebView drops connections when the app is backgrounded
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari 11
Hardware: iPhone / iPad iOS 11
: P1 Blocker
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-04-19 13:14 PDT by jeremy.bassi
Modified: 2023-11-23 05:12 PST (History)
10 users (show)

See Also:


Attachments
Video of issue described along with Xcode project (3.50 MB, application/zip)
2018-04-19 16:01 PDT, jeremy.bassi
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description jeremy.bassi 2018-04-19 13:14:07 PDT
The majority of Workday customers are configured to use multi-factor authorization which requires leaving the Workday app to go to Duo or a similar authorization app. 

In previous versions of iOS (< iOS 11.3) when UIWebView was loaded in the Workday for Duo login and the user must background Workday to tap the authorization button in Duo before returning to Workday, the UIWebView controller supported maintaining an active connection which the Duo WebView would poll to look for confirmation of authentication. With iOS 11.3, the UIWebView controller no longer supports maintaining a connection when the app is backgrounded (https://openradar.appspot.com/39508158). Specifically, the WebView does not have the ability to refresh itself to determine that authentication is granted. 

We are also unable to switch to using WKWebView controller because it does not support 3rd party certificate pinning which is a security requirement for Workday customers. 

Please reference https://openradar.appspot.com/39508158 which already has a test app attached. 

We are also in the process of creating a test app and will update this ticket as soon as we have that test app ready for submission.
Comment 1 Alexey Proskuryakov 2018-04-19 14:00:34 PDT
rdar://problem/39508158
Comment 2 jeremy.bassi 2018-04-19 15:59:13 PDT
Here are a list of instructions on how to reproduce the issue described. We recreated a login flow that Workday customers are having issues with using Okta and Duo. This bug is not reproducible on iOS <= 11.2.6 and the sample app must be run on devices running 11.3 to recreate the issue.

Setup Instructions:
Install DUO Mobile on test device from the App Store: https://itunes.apple.com/us/app/duo-mobile/id422663827

1. Navigate to https://workday18611-2.okta.com on desktop Safari.
   1a. Login using username: apple.test and password: WebKit123
2. Press Setup
3. Press Start Setup
4. Select Add tablet > continue
5. Select iOS > continue
6. Press "I have Duo Mobile"
7. Follow instruction on screen to link Duo Mobile to device
8. Scroll down and press continue
9. Press "Continue to Login"
10. Continue next steps on test device with Duo installed.

How to run sample project (see attached video):
1. Build and run Xcode project onto device. Launch provided sample app (blocker18611).
    1a. Login using username: apple.test and password: WebKit123
2. Select setup if shown
3. Press "Send me a push"
4. Tap Login Request notification to navigate to Duo Mobile
5. Press "Approve" in the Duo Mobile App
6. Navigate back to Sample App

Notice that Duo is not reporting a successful sign on and that the webview does not maintain the connection. If the same steps are done using <= iOS 11.2.6, Duo will report successful within the webview.
Comment 3 jeremy.bassi 2018-04-19 16:01:12 PDT
Created attachment 338373 [details]
Video of issue described along with Xcode project
Comment 5 Brady Eidson 2019-08-21 21:28:16 PDT
Are you still seeing this with iOS 12 (or the 13 beta if you're trying it)?
Comment 6 jeremy.bassi 2019-08-22 08:45:27 PDT
@Brady, Workday has recently moved over to using WKWebView and the issue does not occur anymore. I have a feeling that this issue still exists on UIWebView, but I have not tested this.