A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


iOS URL Schemes: omg:// - Guillaume K. Ross (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

iOS URL Schemes: omg://
Guillaume K. Ross

Have you ever clicked a phone number in Safari to get the phone app to call that store/car dealership/pizza place you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available to Apple applications as well as third party applications. Everyone uses them without noticing they exist. They are the most flexible of the imperfect methods available right now. They are, however, a source of user input that should never be trusted as safe. In this presentation, we will look at real life examples of implementations of URL Schemes that could lead to issues such as destruction of data or help a malicious person identify an iOS user. We will also look at simple ways to improve URL Scheme security for users of your apps as well as how to find URL Scheme vulnerabilities, for the ones out there who would like to help out.

Bio: Guillaume is an Information Security consultant with a background in IT. He can typically be found in the Montréal area, helping companies from big to huge with their information security programs. In the past two years, he has been working mostly on enterprise security architecture as well as cloud security architecture, both from a vendor and a service consumer perspective. None of this is relevant to his talk at BsidesLV 2014, where only his credentials as an Apple geek are useful.

Back to BSides Las Vegas 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast