iOS Custom URI Handlers / Deeplinks / Custom Schemes

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Custom URL schemes enable apps to communicate using a custom protocol, as detailed in the Apple Developer Documentation. These schemes must be declared by the app, which then handles incoming URLs following those schemes. It's crucial to validate all URL parameters and discard any malformed URLs to prevent attacks through this vector.

Mfano unatolewa ambapo URI myapp://hostname?data=123876123 inachochea hatua maalum ya programu. Uthibitisho wa udhaifu ulipatikana katika programu ya Skype Mobile, ambayo iliruhusu hatua za simu zisizoidhinishwa kupitia itifaki ya skype://. Mipango iliyosajiliwa inaweza kupatikana katika Info.plist ya programu chini ya CFBundleURLTypes. Programu mbaya zinaweza kutumia hii kwa kusajili tena URIs ili kukamata taarifa nyeti.

Application Query Schemes Registration

Kuanzia iOS 9.0, ili kuangalia kama programu inapatikana, canOpenURL: inahitaji kutangaza mipango ya URL katika Info.plist chini ya LSApplicationQueriesSchemes. Hii inapunguza mipango ambayo programu inaweza kuuliza hadi 50, ikiongeza faragha kwa kuzuia orodha ya programu.

<key>LSApplicationQueriesSchemes</key>
<array>
<string>url_scheme1</string>
<string>url_scheme2</string>
</array>

Testing URL Handling and Validation

Wakandarasi wanapaswa kuchunguza mbinu maalum katika msimbo wa chanzo ili kuelewa ujenzi wa njia za URL na uthibitishaji, kama vile application:didFinishLaunchingWithOptions: na application:openURL:options:. Kwa mfano, Telegram inatumia mbinu mbalimbali za kufungua URL:

func application(_ application: UIApplication, open url: URL, sourceApplication: String?) -> Bool {
self.openUrl(url: url)
return true
}

func application(_ application: UIApplication, open url: URL, sourceApplication: String?,
annotation: Any) -> Bool {
self.openUrl(url: url)
return true
}

func application(_ app: UIApplication, open url: URL,
options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool {
self.openUrl(url: url)
return true
}

func application(_ application: UIApplication, handleOpen url: URL) -> Bool {
self.openUrl(url: url)
return true
}

Testing URL Requests to Other Apps

Mbinu kama openURL:options:completionHandler: ni muhimu kwa kufungua URL ili kuingiliana na programu nyingine. Kutambua matumizi ya mbinu kama hizo katika msimbo wa chanzo wa programu ni muhimu kwa kuelewa mawasiliano ya nje.

Testing for Deprecated Methods

Mbinu zilizopitwa na wakati zinazoshughulikia ufunguzi wa URL, kama application:handleOpenURL: na openURL:, zinapaswa kutambuliwa na kupitia kwa athari za usalama.

Fuzzing URL Schemes

Fuzzing URL schemes inaweza kutambua makosa ya ufisadi wa kumbukumbu. Zana kama Frida zinaweza kuendesha mchakato huu kwa kufungua URL zenye mzigo tofauti ili kufuatilia ajali, kama inavyoonyeshwa na udanganyifu wa URL katika programu ya iGoat-Swift:

$ frida -U SpringBoard -l ios-url-scheme-fuzzing.js
[iPhone::SpringBoard]-> fuzz("iGoat", "iGoat://?contactNumber={0}&message={0}")
Watching for crashes from iGoat...
No logs were moved.
Opened URL: iGoat://?contactNumber=0&message=0

Custom URL scheme hijacking

Kulingana na hiki, programu mbaya zinaweza kujiandikisha mipango maalum ya programu nyingine, kisha programu mbaya inaweza kufungua kivinjari ambacho kina vidakuzi vyote vya Safari App kwa kutumia ASWebAuthenticationSession.

Kwa kutumia kivinjari, programu mbaya inaweza kupakia ukurasa wa wavuti unaodhibitiwa na mshambuliaji na TCC itauliza mtumiaji wa simu ruhusa za kufungua programu hiyo. Kisha, ukurasa wa wavuti mbaya unaweza kuelekeza kwenye ukurasa wa mwathirika, kwa mfano mtiririko wa OAuth na parameter prompt=none. Ikiwa mtumiaji tayari alikuwa amejiandikisha katika mtiririko wa OAuth, mtiririko wa OAuth utatuma siri nyuma kwa programu ya mwathirika kwa kutumia mpango maalum wa programu ya mwathirika. Hata hivyo, kwa sababu programu mbaya pia iliandikisha na kwa sababu kivinjari kilichotumika kiko ndani ya programu mbaya, mpango maalum utashughulikiwa katika kesi hii na programu mbaya ambayo itakuwa na uwezo wa kuiba token ya OAuth.

References

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousiOS Burp Suite Configuration NextiOS Extracting Entitlements From Compiled Application

Last updated 1 month ago