How to implement secure inter-app messaging in IOS

Question

So I'm looking for a secure way of passing data between two applications (trying to implement a secure OAuth provider for IOS applications). Here is my definition of secure and some additional assumptions/requirements:

1. I want app A to invoke app B and pass it a token TokenA, then app B fetches some result based on this token, and return the results back to app A. Assume there is a malicious app called app C, I want to make sure that app C cannot intercept any messages between app A and B.
2. Assume TokenA is some public information that app C can obtain. I want to make sure that app B does not respond to a request with TokenA unless it comes from app A.
3. Assume app B is actually a "service provider" and app A can supply some info to app B (eg, IOS bundle ID) when app A registered to use the service.
4. The secure messaging method must not require a jailbroken phone.
5. Assume app C can be installed before or after app A and B.

Originally, I thought about using some scheme-based approach, but this is not secure since if app C can register for the same scheme as A and B, then intercept the message (violation to requirement 1).

Checking for duplicated intent is also not enough, since if the user does not have app A installed, the attacker could register for the scheme of app A and bypass this check (violation to requirement 2).

I looked at Facebook's IOS OAuth, and they seem to require apps to enter their "bundle ID" when registering with Facebook. I am quite positive that Facebook is using this bundle ID in some kind of checks, but not sure what.

Any help is appreciated.

Answer 1

There is NO other way of one app directly invoking another apart from url schemes so you have no alternative but to make use of this method and then find a way of securing it to your satisfaction if you want app A to directly invoke app B.

If you absolutely cannot use url schemes then the only other alternative would be some convoluted mechanism like app A and app B communicating indirectly via a remote server.

When an app invokes Facebook on the device the app has registered for and obtained and then hardcoded a facebook token within it which is presumably used in some way to ensure authentication - thus there must be some 3 entity thing going on (an app, the facebook app, and the facebook server).

However I would think you can make data sharing between two apps secure if you use url schemes in combination with the key store - app A posts some encrypted data to the key store and then notifies app B that its available via url schemes, then app B retrieves it from the key store.

If app A and app B know how to encrypt the data then it doesn't matter if app C knows there is data there and can access it. (Actually I think there is a way of using the keychain that can be used to exclude app C from even accessing it but don't have that information to hand at the moment to confirm). Even if app C can access the data in the keychain surely you can find a way of securing it so that app C cannot decode it.

I would start off by first doing lots of research into iOS's keychain and then see what it can offer you.

https://developer.apple.com/library/mac/documentation/security/conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html#//apple_ref/doc/uid/TP30000897-CH208-SW1