Skip to content

iOS URL Scheme Injection

iOS URL Scheme Injection

Description

Custom URL schemes provide a way to reference resources inside an iOS app. For example, users tapping a custom URL in an email launch the application in a specified context. Other apps can also trigger another app to launch it with a specific context data; for example, a photo library app might display a specified image.

URL schemes offer a potential attack vector for iOS apps and are, by default, vulnerable to scheme hijacking.

Therefore, the app needs to make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that don’t risk the user’s data. For example, don’t allow other apps to delete content directly or access sensitive information about the user.

Recommendation

To mitigate the potential risks associated with URL schemes in your iOS app, consider:

  1. Use Universal Links: Universal links allow you to create a two-way association between your app and your website and specify the URLs that your app handles, preventing other apps from hijacking them.

  2. Validate URL Parameters: Implement thorough validation checks for all URL parameters received by your app. Ensure that the parameters adhere to expected formats and do not contain any malicious payloads or unexpected data.

  3. Limit Available Actions: Evaluate the potential impact of each action triggered by a custom URL scheme and restrict access to actions that do not pose a risk to user data or compromise app security.

Standards

  • OWASP_MASVS_L1:
    • MSTG_PLATFORM_2
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_2
  • CWE_TOP_25:
    • CWE_20
  • GDPR:
    • ART_5
    • ART_32
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3
  • OWASP_MASVS_v2_1:
    • MASVS_CODE_4
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5