Insecure Handling of URL Schemes in Apples iOS

Discussion in 'BlackHat Lounge' started by discodave, Nov 10, 2010.

  1. discodave

    discodave Regular Member

    Nov 2, 2009
    Likes Received:
    "This is a guest post from security researcher Nitesh Dhanjani. Nitesh will be giving a talk on ?Hacking and Securing Next Generation iPhone and iPad Apps? at SANS AppSec 2011

    In this article, I will discuss the security concerns I have regarding how URL Schemes are registered and invoked in iOS.

    URL Schemes, as Apple refers to them, are URL Protocol Handlers that can be invoked by the Safari browser. They can also be used by applications to launch other applications to perform certain transactions, but this use case isnʼt relevant to the scope of this discussion.

    In the URL Scheme Reference document, Apple lists the default URL Schemes that are registered within iOS. For example, the tel: scheme can be used to launch the Phone application. Now, imagine if a website were to contain the following HTML rendered to someone browsing using Safari on iOS:

    <iframe src=?tel:1-408-555-5555?></iframe>

    Source & More: