The application registers custom URL schemes in the Info.plist file.
Custom URL schemes can be used for deep linking within an application but are also frequently used to pass data to an application from a separate process.
However, custom URL schemes are not guaranteed to be unique and an application can register any scheme - even one registered by another application.
In practice this can result in an application "hijacking" custom URLs intended for a different application, simply by virtue of registering the same URL scheme on the same device.
Steps to Reproduce
Enumerates custom URL schemes registered by the application
Business Impact
Multiple applications installed to the same device may register the same URL scheme.
The application that is successful will receive all invocations of that scheme, even if they were originally intended for another application.
Remediation Resources
Do not use URL schemes to transmit sensitive data or perform operations of a sensitive nature.
Validate all data passed via custom URL schemes, and verify that the sender is an expected source by examining the sourceApplication in the options dictionary passed to application:openURL:options:.
For more information, see Apple's documentation.
If possible, replace custom URL schemes with universal links.
Apple now considers universal links to be the best practice for deep linking, since it is resistant to the type of hijacking that can occur with URL schemes.
Finding Description
The application registers custom URL schemes in the
Info.plist
file. Custom URL schemes can be used for deep linking within an application but are also frequently used to pass data to an application from a separate process. However, custom URL schemes are not guaranteed to be unique and an application can register any scheme - even one registered by another application. In practice this can result in an application "hijacking" custom URLs intended for a different application, simply by virtue of registering the same URL scheme on the same device.Steps to Reproduce
Enumerates custom URL schemes registered by the application
Business Impact
Multiple applications installed to the same device may register the same URL scheme. The application that is successful will receive all invocations of that scheme, even if they were originally intended for another application.
Remediation Resources
Do not use URL schemes to transmit sensitive data or perform operations of a sensitive nature. Validate all data passed via custom URL schemes, and verify that the sender is an expected source by examining the
sourceApplication
in theoptions
dictionary passed toapplication:openURL:options:
. For more information, see Apple's documentation.If possible, replace custom URL schemes with universal links. Apple now considers universal links to be the best practice for deep linking, since it is resistant to the type of hijacking that can occur with URL schemes.
Risk and Regulatory Information
Severity: info
Application
See more detail in the NowSecure Report