iOS 14 issued a number of changes, as every new release does. But one area where Apple clearly spent a fair amount of time is in their WebViews. Traditionally, UIWebView was the class de jour when a developer wanted to present a web page. In iOS 14 though, UIWebView was officially deprecated in favor of WKWebView.
Cookie handling is all possible to control as well. Access to the following methods, as described in this blog, is also controlled via the same process.
(void)setCookie:(NSHTTPCookie *)cookie completionHandler:(nullable void (^)(void))completionHandler;
(void)getAllCookies:(void (^)(NSArray<NSHTTPCookie *> *))completionHandler;
The WebKit blog article gives several use cases, and Apple also provided some guidance in a WWDC 2020 video (watch here), where they explicitly said that using AppBoundDomains is a best practice.
Veracode has kept up by being able to scan instances of WKWebView in an application’s code and ensure that a proper AppBoundDomain entry has been tied to that in the application bundle. If not, we’ll alert our customers to that effect, and in those cases, usually a quick fix is all that’s necessary as Apple made this easy to integrate into the application.
Most of these efforts have been made to ensure that built-in privacy protections became the norm on iOS. In the older UIWebView, private data can and has been taken, and this protection is a means to prevent that. For Desktop Safari users, you might notice that recent versions of OS X will now prevent some website trackers from tracking your browsing history and other data. We live in a connected world, busily browsing the internet, but without the right protections the services provided tend to take the same attitude towards you, and that certainly includes your data.
To learn more about iOS security, visit our knowledge base.