Skip to content

MASTG-BEST-0055: Validate Source Application in Custom URL Scheme Handlers

When a custom URL scheme triggers a privileged or irreversible action, check sourceApplication from UIOpenURLContext.options before processing the request. This allows you to verify the calling app's bundle ID against an allowlist.

let allowedSources: Set<String> = ["com.example.myapp", "com.example.companion"]

guard let source = context.options.sourceApplication,
      allowedSources.contains(source) else {
    return
}

Check Both URL Delivery Paths

When using the Scene lifecycle, URLs can arrive through two paths: scene(_:willConnectTo:options:) for cold launches and scene(_:openURLContexts:) for warm opens. Validate sourceApplication in both handlers to avoid leaving one path unprotected.

Apple Developer Team Limitation

Apple only populates sourceApplication when the calling app belongs to the same Apple Developer Team. Apps from other teams or system apps (e.g. Safari, Notes) will have sourceApplication set to nil. This means source validation is most useful for restricting URL scheme triggers to your own app suite, not for identifying arbitrary third-party callers.

Note

For apps using pure SwiftUI with .onOpenURL, sourceApplication is not available. If source validation is required, use the Scene lifecycle with SceneDelegate instead.

Tests

MASTG-TEST-0371: Missing Source Validation in Custom URL Scheme Handlers