Security researchers have illustrated a new app-in-the-middle attack that could allow a malicious app installed on your iOS device to steal sensitive information from other apps by exploiting certain implementations of Custom URL Scheme.
By default on Apple’s iOS operating system, every app runs inside a sandbox of its own, which prevent all apps installed on the same device from accessing each other’s data.
However, Apple offers some methods that facilitate sending and receiving very limited data between applications.
One such mechanism is called URL Scheme, also known as Deep Linking, that allows developers to let users launch their apps through URLs, like facetime://, whatsapp://, fb-messenger://.
For example, when you click “Sign in with Facebook” within an e-commerce app, it directly launches the Facebook app installed on your device and automatically process the authentication.
In the background, that e-commerce app actually triggers the URL Scheme for the Facebook app (fb://) and passes some context information required to process your login.
Researchers at Trend Micro noticed that since Apple does not explicitly define which app can use what keywords for their Custom URL Scheme, multiple apps on an iOS device can use single URL Scheme—which eventually could trigger and pass sensitive data to a completely different app unexpectedly or maliciously.
“This vulnerability is particularly critical if the login process of app A is associated with app B,” the researchers said.
To demonstrate this, researchers illustrated an attack scenario, as shown in the image above, using an example of a Chinese retailer app “Suning” and its implementation of “Login with WeChat” feature, explaining how it is susceptible to hacking.
images from Hacker News