Security experts at Trend Micro have discovered that iOS URL scheme could allow an attacker to hijack users’ accounts via App-in-the-Middle attack.

Security experts at Trend Micro devised a new app-in-the-middle attack that could be exploited by a malicious app installed on iOS devices to steal sensitive data from other applications. The attack exploits the implementations of the Custom URL Scheme.

Apple iOS implements a sandbox mechanism to prevent that each app could access data of the other ones installed on the device.

Apple also implements some methods to allow sending and receiving limited data between applications, including the URL Scheme (aka Deep Linking). The method could allow developers to launch an app through URLs (i.e. facetime : //, whatsapp : //, fb -messenger : //).

For example, a user can click on “Contact us via Whatspp” within an app, launches the WhatsApp app installed on the device passing the necessary information to authenticate the user.

Experts explained how to abuse the URL Scheme for malicious purposes that could potentially expose users to attacks.

Trend Micro pointed out that iOS allows one single URL Scheme to be used by multiple apps allowing malicious apps to exploit the URL Scheme.

“ iOS allows one single URL Scheme to be claimed by multiple apps. For instance, Sample : // can be used by two completely separate apps in their implementation of URL Schemes. This is how some malicious apps can take advantage of the URL Scheme and compromise users.” reads the analysis published by Trend Micro.

“Apple addressed the issue in later iOS versions (iOS 11), where the first-come-first-served principle applies, and only the prior installed app using the URL Scheme will be launched. However, the vulnerability can still be exploited in different ways.”

The vulnerability is very dangerous when the login process of app A is associated with app B, the image below shows the attack scenario:

When the Suning app users access their e-commerce account using WeChat , it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. The WeChat app received the login request and in turn requests a login token from its server that sends it back to the Suning app.



The experts discovered that since Suning always uses the same login-request query and WeChat does not authenticate the source of the login request, an attacker could carry out a app-in-the-middle attack via the iOS URL Scheme.

“With the legitimate WeChat URL Scheme, a fake- WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.” continues the analysis. “WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”

The discovery demonstrates that an attacker using a malicious app with the same Custom URL Scheme as a targeted app can trick them into sharing users’ sensitive data with it.

“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat : //, line : //, fb : //, fb -messenger : //, etc. We identified some of these malicious apps,” explained the researchers.

Experts remarked that the URL Scheme cannot be used for the transfer of sensitive data.

Pierluigi Paganini