Closed BSI-TF-CWA closed 4 years ago
Release Tag: Beta Release Production Version: 0.5.0.1690 GitHub: https://github.com/corona-warn-app/cwa-app-ios/releases/tag/v0.5.0.1690
Dear @BSI-TF-CWA thanks for sharing this security vulnerability. We are removing the option to start the application using a start schema as well as inject the configuration completely.
Thanks for your support!
Best regards, Chris
It would have been a good functionality to scan a qr-code (e.g. for a test result) to start the app. Currently the qr-codes have a url pointing to localhost
which means Safari opens with 404.
Wouldn’t it have been an option to remove the assignments in the 3 if statements?
@lennybacon
FYI: You can scan test result QR codes for rapid antigen tests as well as QR codes for check ins with your native iOS camera. Only certificates and PCR tests have to be scanned directly in the app.
Thanks @Ein-Tim. I’m coping with a PCR right now. It would be great if that would work in the same way.
Unfortunately this cannot be changed because the format is fix in the printed Form 10c and this is hard to exchange. The initial idea was to prevent any IP tracking of the user which did a PCR test.
Rating: High
Description: The Backend configuration can be changed via the app's custom URL scheme. More specifically, a custom URL can be created to change the app's submission, distribution, and verification URL settings. This enables an attacker to craft a custom URL that, if clicked by a victim, can change their backend URLs to attacker-controlled values. This feature is only inteded for testing purposes. However, the check for the
APP_STORE
macro, which would disable this functionality in the production release is currently commented out. If this were not to be removed for the release version, this issue would become highly critical. In the other case, this can be viewed as a reminder and to track the reintroduction of theAPP_STORE
check.Now that the app is in release state (v0.5.0 - 1690), the issue is to be considered high. A user's app configuration can be changed just by making them click on a link, which is not acceptable for the release candidate of this app.
Proof of Concept: In ENA/Source/SceneDelegate.swift:206-234