search

corona-warn-app / cwa-app-ios

Native iOS app using the exposure notification framework from Apple. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
1.68k stars 286 forks source link

[BSI][20200610] Backend Configuration via URL Scheme #454

Closed BSI-TF-CWA closed 4 years ago

BSI-TF-CWA commented 4 years ago

Rating: High

Description: The Backend configuration can be changed via the app's custom URL scheme. More specifically, a custom URL can be created to change the app's submission, distribution, and verification URL settings. This enables an attacker to craft a custom URL that, if clicked by a victim, can change their backend URLs to attacker-controlled values. This feature is only inteded for testing purposes. However, the check for the APP_STORE macro, which would disable this functionality in the production release is currently commented out. If this were not to be removed for the release version, this issue would become highly critical. In the other case, this can be viewed as a reminder and to track the reintroduction of the APP_STORE check.

Now that the app is in release state (v0.5.0 - 1690), the issue is to be considered high. A user's app configuration can be changed just by making them click on a link, which is not acceptable for the release candidate of this app.

Proof of Concept: In ENA/Source/SceneDelegate.swift:206-234

    func scene(_: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) {
        // We have to allow backend configuration via the url schema for now.
        //        #if APP_STORE
        //        return
        //        #endif

        guard let url = URLContexts.first?.url else {
            return
        }

        guard let components = NSURLComponents(
            url: url,
            resolvingAgainstBaseURL: true
        ),
            let query = components.queryItems else {
            return
        }

        if let submissionBaseURL = query.valueFor(queryItem: "submissionBaseURL") {
            store.developerSubmissionBaseURLOverride = submissionBaseURL
        }
        if let distributionBaseURL = query.valueFor(queryItem: "distributionBaseURL") {
            store.developerDistributionBaseURLOverride = distributionBaseURL
        }
        if let verificationBaseURL = query.valueFor(queryItem: "verificationBaseURL") {
            store.developerVerificationBaseURLOverride = verificationBaseURL
        }

    }
haxxbard commented 4 years ago

Release Tag: Beta Release Production Version: 0.5.0.1690 GitHub: https://github.com/corona-warn-app/cwa-app-ios/releases/tag/v0.5.0.1690

ChristopherSchmitz commented 4 years ago

Dear @BSI-TF-CWA thanks for sharing this security vulnerability. We are removing the option to start the application using a start schema as well as inject the configuration completely.

Thanks for your support!

Best regards, Chris

lennybacon commented 2 years ago

It would have been a good functionality to scan a qr-code (e.g. for a test result) to start the app. Currently the qr-codes have a url pointing to localhost which means Safari opens with 404.

Wouldn’t it have been an option to remove the assignments in the 3 if statements?

Ein-Tim commented 2 years ago

@lennybacon

FYI: You can scan test result QR codes for rapid antigen tests as well as QR codes for check ins with your native iOS camera. Only certificates and PCR tests have to be scanned directly in the app.

lennybacon commented 2 years ago

Thanks @Ein-Tim. I’m coping with a PCR right now. It would be great if that would work in the same way.

thomasaugsten commented 2 years ago

Unfortunately this cannot be changed because the format is fix in the printed Form 10c and this is hard to exchange. The initial idea was to prevent any IP tracking of the user which did a PCR test.