Reputation: 15800
Are custom URL schemes secure?
Suppose a user forgot their password and requested an email link to reset it. The email could contain a URI link to reset their password. If this is a URI for a register URI scheme in Android or iOS, is this secure?
For example, if the URI were broadcast to listener applications, can a malicious app take this URI and behind-the-scenes reset the login username and password for the user of the original site?
Can a malicious app register to receive links from any domain, or are there restrictions? (iOS or Android)
Update: The deep linking I'm talking about is:
Upvotes: 1
Views: 3123
Answers (2)
Reputation: 4316
On Android devices, I believe you receive a chooser dialog if more than one application is registered with the same deeplink URI scheme. This allows the user to choose which application to actually use to resolve the deeplink URI and complete the action:
Not entirely sure why iOS did not choose to implement something similar, though I'd imagine it was because it can sometimes provide for a somewhat inconvenient and/or confusing user experience.
Upvotes: 2
Reputation: 114984
There is no security around the registration of custom URL schemes in iOS. Apple's documentation states
If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme.
I am not sure what the situation is on Android, but I suspect it is similar - the scheme is simply listed in the manifest file.
For someone to exploit this they would need to
- Identify your technique & uri format
- Craft an application to exploit it
- Get that app into an app store (Getting it into the Apple App store is trickier - the app would effectively have to be a 'trojan horse' -offering some primary value with the exploit functionality second.
- Get the user to install the app
- Wait for the user to forget their password
As per my comment to your questions, you need to evaluate the risk in the context of your application and what the account grants access to, but on the surface the likelihood of an exploit seems low
Upvotes: 1
Related Questions
- Possible to handle your own http URL schemes in iOS?
- iOS custom URL schemes vs. Universal Links and Android counterpart
- URL Schemes to personal apps
- Security of hardcoded URL in Android application
- custom url scheme to native app or website
- android custom url scheme..?
- How secure is inter-app communication in iOS?
- How secure is it to call "secret" URLs in an iOS app?
- iPhone custom urls and encryption
- Custom URL handling in Android? And can you do the same in iOS?