iOS Handling of URL Schemes May Lead to Identity Theft

The SANS Software Security Institute is reporting that Apple’s iOS handles URL schemes insecurely, allowing potentially malicious web sites to launch third-party applications such as Skype, and reveal personal information in the process.

Frank Kim of Sans SSI has a detailed blog post on the matter, which begins with a definition for the term “URL Schemes.”

Kim explains that, on iOS devices, these are URL Protocol Handlers that can be invoked by the Safari browser.

“In the URL Scheme Reference document, Apple lists the default URL Schemes that are registered within iOS. For example, the tel: scheme can be used to launch the Phone application,” Kim elaborates.

Safari does a great job at preventing malicious web sites from initiating a phone call without the userʼs explicit permission, as Kim shows in a screenshot embedded in his post.

However, it doesn't do the same for malicious sites rendering an HTML string that instructs iOS to launch the Skype application, he reveals, as an example.

“In this case, Safari throws no warning, and yanks the user into Skype which immediately initiates the call,” Kim outlines.

“The security implications of this is obvious, including the additional abuse case where a malicious site can make Skype.app call a Skype-id who can then uncloak the victimʼs identity (by analyzing the victimʼs Skype-id from the incoming call),” the author notes.

Kim believes that “the risk posed by how URL Schemes are handled in iOS is significant because it allows external sources to launch applications without user interaction and perform registered transactions.”

The blogger stresses that Apple needs to “allow the registration of URL Schemes that can instruct Safari to throw an authorization request prior to yanking the user away into the application.”

Both Apple’s security team and the people at Skype have been contacted on the matter.

While Apple was kind enough to respond saying that it’s the developer’s responsibility to ask the user for authorization before performing the transaction, Skype hasn’t answered back, Kim says.

“I do agree with Apple that third-party applications should also take part in ensuring authorization from the user,” Kim writes, yet he believes the Mac maker’s stance leaves a bunch of concerns unaddressed.

First and most importantly, he notes, third party applications can only ask for authorization after the user has already been yanked out of Safari.

He then proposes that Apple should audit the security implications of registered URL schemes as part of its App Store approval process.

Finally, he signals that Skype is just one example of how URL scheme handling in iOS can pose security risks.