1

Suppose a user forgot their password and requested an email link to reset it. The email could contain a URI link to reset their password. If this is a URI for a register URI scheme in Android or iOS, is this secure?

For example, if the URI were broadcast to listener applications, can a malicious app take this URI and behind-the-scenes reset the login username and password for the user of the original site?

Can a malicious app register to receive links from any domain, or are there restrictions? (iOS or Android)

Update: The deep linking I'm talking about is:

Community
  • 1
  • 1
user48956
  • 14,850
  • 19
  • 93
  • 154
  • This question is quite broad - The 'security' of a solution needs to be evaluated in the context of the needs of the application and/or users - If all that is required to reset a password is access to the password reset link and that link could be intercepted, then you need to determine if this is acceptable in your case. If the account provides access to low-value information (say a chat forum) it could be sufficient. If it was a banking site then you would probably want to further interrogate the user once they accessed the reset link. On iOS an app can't intercept email – Paulw11 Mar 18 '14 at 23:31
  • I think I misused deep linking. It means different things to iOS developers vs. web developers. What I'm interested in custom URL schemes. Such as myapp://path/to/what/i/want?d=This%20is%20a%20test By insecure, what I mean is, as in my example, should I worry about encoding keys or access tokens in the URI. For web URL, I don't think this is a big issue (yes, its often safe to encode an access token in the URL). For custom URI schemes, I'm less certain. Have updated the question. – user48956 Mar 19 '14 at 01:38

2 Answers2

2

On Android devices, I believe you receive a chooser dialog if more than one application is registered with the same deeplink URI scheme. This allows the user to choose which application to actually use to resolve the deeplink URI and complete the action:

Complete action intent chooser dialog

Not entirely sure why iOS did not choose to implement something similar, though I'd imagine it was because it can sometimes provide for a somewhat inconvenient and/or confusing user experience.

jerluc
  • 4,186
  • 2
  • 25
  • 44
1

There is no security around the registration of custom URL schemes in iOS. Apple's documentation states

If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme.

I am not sure what the situation is on Android, but I suspect it is similar - the scheme is simply listed in the manifest file.

For someone to exploit this they would need to

  1. Identify your technique & uri format
  2. Craft an application to exploit it
  3. Get that app into an app store (Getting it into the Apple App store is trickier - the app would effectively have to be a 'trojan horse' -offering some primary value with the exploit functionality second.
  4. Get the user to install the app
  5. Wait for the user to forget their password

As per my comment to your questions, you need to evaluate the risk in the context of your application and what the account grants access to, but on the surface the likelihood of an exploit seems low

Paulw11
  • 108,386
  • 14
  • 159
  • 186
  • 1
    For Android, there is an `intent` scheme for mapping URIs to specific application intents by application ID (package name) which must be unique in order to be in the Play Store: https://developers.google.com/chrome/mobile/docs/intents – jerluc Mar 19 '14 at 05:10
  • @jerluc - This link is dead – Jignesh Shah Jun 19 '19 at 07:05