Skip to content

iOS URL Scheme Injection

iOS URL Scheme Injection

Description

Custom URL schemes provide a way to reference resources inside an iOS app. For example, users tapping a custom URL in an email launch the application in a specified context. Other apps can also trigger another app to launch it with a specific context data; for example, a photo library app might display a specified image.

URL schemes offer a potential attack vector for iOS apps and are, by default, vulnerable to scheme hijacking.

Therefore, the app needs to make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that don’t risk the user’s data. For example, don’t allow other apps to delete content directly or access sensitive information about the user.

Recommendation

While custom URL schemes are an acceptable form of deep linking, universal links are strongly recommended. For more information on universal links, see Allowing Apps and Websites to Link to Your Content.

The app needs to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that don’t risk the user’s data. For example, don’t allow other apps to delete content directly or access sensitive information about the user.

Standards

  • OWASP_MASVS_L1:
    • MSTG_PLATFORM_2
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_2
  • CWE_TOP_25:
    • CWE_20
  • GDPR:
    • ART_5
    • ART_32
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3