Insecure Handling of URL Schemes in iOS

Published: 2010-11-09
Last Updated: 2010-11-09 20:11:12 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Nitesh Dhanjani posted a nice blog post as part of the SANS Application Security blog [1]. He discusses a particular interesting vulnerability in iOS. In iOS, like in other operating systems, application may register themselves to handle particular URL schemes. For example, a URL starting with "tel:" links to the telephone application.

However, how these URL schemes are dealt with depends on the application receiving these requests from the browser. The telephone application will for example prompt the user asking if it should dial the number. Skype on the other hand does not prompt the user. In order to prompt the user, the application has to fully load and start up. So at the very least the attacker may be able to load the application.

Desktop browsers, like for example Firefox, will first prompt the user for these external URL schemes (try "telnet:", which will launches a terminal and open telnet in most cases).


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

3 comment(s)
Diary Archives