URL schemes offer a potential attack vector into your app, so make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that do not risk the user’s data.
myapp://hostname?data=123876123
will invoke the application mydata (the one that has register the scheme mydata
) to the action related to the hostname hostname
sending the parameter data
with value 123876123
skype://
protocol handler, which allowed other apps to trigger calls to other Skype users and phone numbers. Unfortunately, Skype didn't ask users for permission before placing the calls, so any app could call arbitrary numbers without the user's knowledge. Attackers exploited this vulnerability by putting an invisible <iframe src="skype://xxx?call"></iframe>
(where xxx
was replaced by a premium number), so any Skype user who inadvertently visited a malicious website called the premium number.Info.plist
file searching for CFBundleURLTypes
(example from iGoat-Swift):canOpenURL:
to verify that the target app is available. However, as this method was being used by malicious app as a way to enumerate installed apps, from iOS 9.0 the URL schemes passed to it must be also declared by adding the LSApplicationQueriesSchemes
key to the app's Info.plist
file and an array of up to 50 URL schemes.canOpenURL
will always return NO
for undeclared schemes, whether or not an appropriate app is installed. However, this restriction only applies to canOpenURL
.application:didFinishLaunchingWithOptions:
method or application:will-FinishLaunchingWithOptions:
: verify how the decision is made and how the information about the URL is retrieved.application:openURL:options:
: verify how the resource is being opened, i.e. how the data is being parsed, verify the options, especially if access by the calling app (sourceApplication
) should be allowed or denied. The app might also need user permission when using the custom URL scheme.openURL:options:completionHandler:
and the deprecated openURL:
method of UIApplication
are responsible for opening URLs (i.e. to send requests / make queries to other apps) that may be local to the current app or it may be one that must be provided by a different app. If you have the original source code you can search directly for usages of those methods.tel://123456789
safari will try to start calling the number.myURLscheme://
), you can discover hidden functionality (e.g., a debug window) and bypass local authentication.LSApplicationWorkspace.openSensitiveURL:withOptions:
to open the URLs (from the SpringBoard app):Note that the use of non-public APIs is not permitted on the App Store, that's why we don't even test these but we are allowed to use them for our dynamic analysis.
openURL
using Frida's RPC. That fuzzer should do the following:openURL
..ips
) in /private/var/mobile/Library/Logs/CrashReporter
.iGoat://?contactNumber={0}&message={0}
.