MASTG-TEST-0371: Missing Source Validation in Custom URL Scheme Handlers
Overview¶
Custom URL scheme handlers that perform security-sensitive operations should validate the source application before acting on incoming requests ( Custom URL Schemes). The sourceApplication property provides the bundle ID of the calling app, allowing the handler to check it against an allowlist before processing.
Apple only populates sourceApplication when the calling app belongs to the same Apple Developer Team. Apps from other teams or system apps (e.g. Notes, Safari) will have sourceApplication set to nil. This is an Apple platform limitation, but it still allows verifying that the URL was opened by one of your own apps, which is useful when a URL scheme triggers privileged actions that should only be accessible from within your app suite.
This test checks whether the app's URL scheme handler reads and validates sourceApplication before performing sensitive operations.
Note
If the app intentionally allows any app on the device to trigger the URL scheme (for example, a publicly documented deep-link scheme with no privileged actions), source validation may not be required and this test may not apply.
Steps¶
- Use Exploring the App Package to extract the relevant binaries from the app package.
- Use Static Analysis on iOS to look for the relevant APIs in the app binaries.
Observation¶
The output should contain the disassembly of any scene(_:openURLContexts:) implementation found in the binary, including any references to sourceApplication and allowedSources or equivalent allowlist properties.
Evaluation¶
The test case fails if any URL scheme handler is found that does not read UIOpenURLContext.options.sourceApplication before performing security-sensitive or irreversible operations.
Best Practices¶
MASTG-BEST-0045: Limit Sensitive Data Exposure Through iOS IPC Channels MASTG-BEST-0055: Validate Source Application in Custom URL Scheme Handlers
Demos¶
MASTG-DEMO-0135: Custom URL Scheme Handler with Source Validation