8

The Scenario:

A web application that once a new user completes the registration, an email will be sent, containing a URL that once tapped from within an iOS device, the iOS app will be launched. This scenario is a classic scenario to make users use the mobile app.

While implementing it (using URL scheme), we start wondering how secured is this method? Theoretically - a malicious app could sign up to the same URL scheme, and according to Apple:

Note: If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme.

Implementing Custom URL Schemes by Apple

In such scenario, if a user is tapping the url inside the email, it is unknown which of the two (or more apps) will be launched - ours or the malicious one. Lets say a different app is being launched - if its really malicious, theoretically it could mimic the login page of our app and grab the user's credentials.

Are there any best practices that handles such scenario? I've read many articles regarding the issue, all of them claims that the only solution is to wait for Apple to make these url schemes unique. example1, example2

I would love hearing about any solution to the issue if exist, Thanks in advance!

goldengil
  • 1,007
  • 9
  • 25

2 Answers2

4

We have to assume the malicious app can intercept any data included in this url and that it's author has been free to reverse engineer any behavior included in your app so it can imitate your UI and any validation your app attempts to perform. However we can also assume that the malicious app is contained in its own sandbox so your app can communicate with your backend privately. The malicious app can imitate any such communication but this does allow us to construct a secret unknown to the malicious app. That gives us at least an opportunity to design some countermeasures.

One option might be:

  1. As part of registration construct a public/private key pair and store it in your app.
  2. Send the public key to your web backend as part of the registration process.
  3. Encode they payload of your URL using that public key.

Now we've sent data to your app which might be redirected to a malicious app but which the malicious app cannot read. That's a partial solution. We still need to be careful to design a UI which does not encourage a user to fall for a phishing attack since the URL might still launch the imposter.

The encoded data might be a token we can use to authenticate the user and therefore never require them to re-authenticate within the app. Then there is no login screen to imitate (though a clever forgery might still be enough to trick users into divulging their credentials).

An alternative might be to use a similar per-user secret stored on the client as a salt to combine with the user's password. Their password alone might then be insufficient to authenticate so a malicious app capturing their credentials is not immediately able to access their account.

Another design could be to allow the user to customize their experience in a recognizable way. You might show their selected profile image on the sign in screen. If that selection is known only to your app then an imitator shouldn't be able to duplicate it reliably (again, no guarantee that means users will catch the deception).

All of this introduces tradeoffs; users might still be tricked into revealing information to malicious apps no matter how different they appear from your legitimate client, client side secrets can be extracted by other attacks, and you need a plan to support users who switch, lose, or upgrade devices. You have to decide if any of this actually improves the security of your users and if it is worth the cost to implement.

Jonah
  • 17,918
  • 1
  • 43
  • 70
  • These options are very interesting, and yet, as you mentioned - that would mean solution to one device only. The rumors about iOS9 are that its going to focus on security (along with stability and optimizations) - so maybe the expected solution (of Apple fixing the issue) is just around the corner. Thanks a lot! – goldengil May 28 '15 at 16:00
1

Try something like this:

In your email, state that clicking on the URL will launch the app and log you in for the first time then prompt user to enter their new password. Include a token in the URL which, when handled by your app, does a one-off login and put the user on a "New Password" page.

If a malicious app has also registered your custom URL and steals the link, they should (hopefully) not be able to do much with it. Even if they replicate your interface and prompt the user for a new password, it's not going to achieve anything.

edit: After thinking on this further, as long as you have an active attacker, you're pretty much screwed. The attacker could continue to emulate your app, effectively MITMing you, regardless of what you do, as long as they're able to hijack that initial URL. My solution would only work in the most basic of cases, not really reliable.

Endareth
  • 492
  • 3
  • 15
  • 1
    A malicious app could capture this token and perform whatever client side action the intended recipient app would normally perform. – Jonah May 27 '15 at 02:48
  • 1
    Yeah, I was thinking something like this shortly after posting... it comes down to how much effort the attacker is willing to put in. Unfortunately this entire situation seems to leave the attacker permanently ahead of the game. The more I think about it, the more I fail to see any solution other than for Apple to fix the root cause. – Endareth May 27 '15 at 03:02