堆栈内存溢出
  简体   繁体   English

防止iOS URL方案劫持

[英]Prevent iOS URL scheme hijack

 原文  2015-11-25 14:27:07       ios/ security/ ios9/ url-scheme

问题描述

I have an app that gets opened from another app via a URL scheme. 我有一个通过URL方案从另一个应用程序打开的应用程序。 The URL contains signup tokens. 该URL包含注册令牌。 As any app can register the same URL scheme as my app, I am concerned a "fake" app can do a man-in-the-middle attack and capture the signup tokens. 由于任何应用程序都可以注册与我的应用程序相同的URL方案,我担心“假”应用程序可以进行中间人攻击并捕获注册令牌。

My idea is to check that the URL scheme does not open another app when my app is first opened. 我的想法是在我的应用程序首次打开时检查URL方案是否未打开另一个应用程序。

From a security perspective, if the URL scheme opens my app the first time, will it always open my app in the future? 从安全角度来看,如果URL方案第一次打开我的应用程序,它将来是否会打开我的应用程序?

2 个解决方案

解决方案1
 5  2015-11-25 14:50:33

How about using iOS 9 universal links? 如何使用iOS 9通用链接?

Unlike custom URL schemes, universal links can't be claimed by other apps, because they use standard HTTP or HTTPS links to your website. 与自定义网址方案不同,其他应用无法声明通用链接,因为它们使用指向您网站的标准HTTP或HTTPS链接。

https://developer.apple.com/library/prerelease/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html https://developer.apple.com/library/prerelease/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html

This way the "dispatch table" is on your server, so no other app can hijack the signup URL. 这样,“调度表”就在您的服务器上,因此没有其他应用程序可以劫持注册URL。 (URL dispatch is based on AppIDs) (URL分派基于AppID)

解决方案2
 2  2015-11-25 14:31:16

It's a valid (and usually ignored) attack vector. 这是一个有效(通常被忽略)的攻击媒介。 It isn't strictly a man-in-the-middle attack as it won't forward the URL on to your app (it can't). 它不是严格意义上的中间人攻击,因为它不会将URL转发到您的应用程序(它不能)。 It's almost worse as the attacking app would only really be able to crash and it would look like your app had... 它几乎更糟糕,因为攻击应用程序只能真正崩溃,它看起来像你的应用程序...

Another app could be installed any time your app is in the background. 只要您的应用在后台,就可以安装另一个应用。 Technically it's possible that an update is released and installed for an existing app while your app is running (it's hard to know if that happens). 从技术上讲,在您的应用程序运行时,可能会为现有应用程序发布和安装更新(很难知道是否会发生这种情况)。 So, it isn't safe to only test when your app is first opened. 因此,仅在首次打开您的应用时进行测试是不安全的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 阻止从URL方案加载应用程序时显示启动屏幕-iOS - Prevent the LaunchScreen to show when App loads from the URL Scheme - iOS iOS中的URL方案 - URL scheme in iOS 扫描URL方案iOS - Scan url scheme ios iOS:AmazonDrive URL方案 - iOS: AmazonDrive URL Scheme iOS URL方案和Facebook - IOS url scheme and facebook 适用于Facebook的iOS URL方案 - iOS URL Scheme for Facebook Slack iOS URL Scheme - Slack iOS URL Scheme iOS上的通用URL方案 - Universal url scheme on iOS iOS中的“ calinvite” URL方案? - “calinvite” url scheme in ios? URL方案已安装在iOS中 - URL Scheme is Installed in iOS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM