Researchers from Trend Micro have demonstrated a new method of attack by which a malicious app installed on an iOS device may access sensitive information in another application, exploiting some implementation of custom URL schemes.
By default in iOS each application runs in its “sandbox” to prevent access of installed applications to the data each other. However, Apple provides several methods that allow applications to share limited amount of information. One of such mechanisms is the scheme of the URL (Deep Linking), through which developers can implement in their apps the ability to run via a URL, for example, facetime://, SMS:// or fb-messenger://.
For example, clicking on the option “Login using Facebook” in the app for e-Commerce login in Facebook will be automatically (the app uses the URL scheme for Facebook, and transmits the context information required for authorization).
As researchers have found, Apple does not specify exactly which keywords the application can use for their URL schemes, i.e., multiple programs can use the same scheme that may result in sending data to a completely different application.
Experts have illustrated the attack on the example application of the Chinese retailer Suning, and implemented in it the functions “sign in WeChat”. When you log into the account through WeChat Suning generates a request for authorization that is sent to the WeChat app installed on the device. Next WeChat requests the secret token and sends it to the application Suning for authorization. As Suning uses the same authorization request, and WeChat does not check the source of the request, this implementation is vulnerable to the so-called attack app-in-the-middle (app center) via URL scheme that can allow attackers to access user accounts.
Thus, a malicious application using the same URL pattern as the target program may access the important data of other apps or to perform various malicious actions.
Because the possibility of exploitation of this vulnerability is connected with implementation of URL schemes, experts recommend to application developers to implement mechanisms to check for untrusted requests.
Read more •••