iOS URL schemes allow conducting App-in-the-Middle attack

Trend Micro experts found that the URL scheme could allow an attacker to compromise iOS user accounts using the App-in-the-Middle attack.

According to the findings of researchers, a malicious application installed in the iOS system can steal sensitive data from other applications. To do this, the program must use the implementation of custom URL schemes. In iOS, a special sandbox is used that prevents installed applications from receiving data from each other.

However, along with this, Apple has provided methods for exchanging a limited set of data between programs.

URL schemes that used for this purpose, allow developers to launch applications using special links. For example: facetime: //, whatsapp: //, fb-messenger: //.

“The URL Schemes function as portals for apps to receive information from other apps. Since Apple allows different apps to declare the same URL Scheme, malicious apps can hijack sensitive data of certain apps. This vulnerability is particularly critical if the login process of app A is associated with app B”, — say Trend Micro specialists.

It works like this: when user is in a browser on a certain site, clicks the link “Contact us on Whatspp”. Due to the use of the URL scheme, launched messenger with all the necessary information.

Read also: Apple Watch’s Walkie Talkie Vulnerability allowed overhearing on other people’s conversations

Trend Micro researchers have concluded that using an URL scheme by an attacker could create certain risks for users.

“IOS allows multiple applications to link a single URL scheme. For example, the Sample: // scheme can use two completely different applications. Thus, a malicious application can use a completely legitimate and well-known scheme”, – says the Trend Micro report.

Such an attack is particularly dangerous if the user completes the process of logging into the account. By successfully exploiting this vulnerability, an attacker may intervene in the process of exchanging confidential data between legitimate applications.