Security researchers have illustrated a new app-in-the-middle attack that could allow a malicious app installed on your iOS device to steal sensitive information from other apps by exploiting certain implementations of Custom URL Scheme.
By default on Apple’s iOS operating system, every app runs inside a sandbox of its own, which prevent all apps installed on the same device from accessing each other’s data.
However, Apple offers some methods that facilitate sending and receiving very limited data between applications.
One such mechanism is called URL Scheme, also known as Deep Linking, that allows developers to let users launch their apps through URLs, like facetime://, whatsapp://, fb-messenger://.
For example, when you click “Sign in with Facebook” within an e-commerce app, it directly launches the Facebook app installed on your device and automatically process the authentication.
In the background, that e-commerce app actually triggers the URL Scheme for the Facebook app (fb://) and passes some context information required to process your login.
Researchers at Trend Micro noticed that since Apple does not explicitly define which app can use what keywords for their Custom URL Scheme, multiple apps on an iOS device can use single URL Scheme—which eventually could trigger and pass sensitive data to a completely different app unexpectedly or maliciously.
“This vulnerability is particularly critical if the login process of app A is associated with app B,” the researchers said.
To demonstrate this, researchers illustrated an attack scenario, as shown in the image above, using an example of a Chinese retailer app “Suning” and its implementation of “Login with WeChat” feature, explaining how it is susceptible to hacking.
In Short, when the Suning app users choose to access their e-commerce account using WeChat, it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. WeChat app then requests a secret login token from its server and sends it back to the Suning app for authentication.
Researchers found that since Suning always uses the same login-request query to request the secret token and WeChat does not authenticate the source of the login request, the implementation is vulnerable to the app-in-the-middle attack via the iOS URL Scheme, eventually allowing attackers gain unauthorized access to users’ accounts.
“With the legitimate WeChat URL Scheme, a fake-WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.
“WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”
That means, a malicious app with the same Custom URL Scheme as a targeted application can trick other apps into sharing users’ sensitive data with it or can perform unauthorized actions, potentially resulting in the loss of privacy, bill fraud, or exposure to pop-up ads.
“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat://, line://, fb://, fb-messenger://, etc. We identified some of these malicious apps,” the researchers said.
Since the exploitability of this vulnerability totally depends upon the way a URL Scheme has been implemented, app developers and popular platforms are recommended to review their apps and validate fix for untrusted requests.
- Unpatched Strandhogg Android Vulnerability Actively Exploited in the Wild
- New Unpatched Strandhogg Android Vulnerability Actively Exploited in the Wild
- New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps
- Malicious Android SDKs Caught Accessing Facebook and Twitter Users Data
- 3 Google Play Store Apps Exploit Android Zero-Day Used by NSO Group