URL schemes offer a potential attack vector into your app, so make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that do not risk the user’s data.
myapp://hostname?data=123876123will invoke the application mydata (the one that has register the scheme
mydata) to the action related to the hostname
hostnamesending the parameter
skype://protocol handler, which allowed other apps to trigger calls to other Skype users and phone numbers. Unfortunately, Skype didn't ask users for permission before placing the calls, so any app could call arbitrary numbers without the user's knowledge. Attackers exploited this vulnerability by putting an invisible
xxxwas replaced by a premium number), so any Skype user who inadvertently visited a malicious website called the premium number.
canOpenURL:to verify that the target app is available. However, as this method was being used by malicious app as a way to enumerate installed apps, from iOS 9.0 the URL schemes passed to it must be also declared by adding the
LSApplicationQueriesSchemeskey to the app's
Info.plistfile and an array of up to 50 URL schemes.
canOpenURLwill always return
NOfor undeclared schemes, whether or not an appropriate app is installed. However, this restriction only applies to
application:will-FinishLaunchingWithOptions:: verify how the decision is made and how the information about the URL is retrieved.
openURL:options:completionHandler:and the deprecated
UIApplicationare responsible for opening URLs (i.e. to send requests / make queries to other apps) that may be local to the current app or it may be one that must be provided by a different app. If you have the original source code you can search directly for usages of those methods.
tel://123456789safari will try to start calling the number.
myURLscheme://), you can discover hidden functionality (e.g., a debug window) and bypass local authentication.
LSApplicationWorkspace.openSensitiveURL:withOptions:to open the URLs (from the SpringBoard app):
Note that the use of non-public APIs is not permitted on the App Store, that's why we don't even test these but we are allowed to use them for our dynamic analysis.