maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/ios-pentesting/ios-universal-links.md

124 lines
8.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# iOS Universal Links
{{#include ../../banners/hacktricks-training.md}}
## Introduction
Universal links offer a **seamless redirection** experience to users by directly opening content in the app, bypassing the need for Safari redirection. These links are **unique** and secure, as they cannot be claimed by other apps. This is ensured by hosting a `apple-app-site-association` JSON file on the website's root directory, establishing a verifiable link between the website and the app. In cases where the app is not installed, Safari will take over and direct the user to the webpage, maintaining the app's presence.
For penetration testers, the `apple-app-site-association` file is of particular interest as it may reveal **sensitive paths**, potentially including ones related to unreleased features.
### **Analyzing the Associated Domains Entitlement**
Developers enable Universal Links by configuring the **Associated Domains** in Xcode's Capabilities tab or by inspecting the `.entitlements` file. Each domain is prefixed with `applinks:`. For example, Telegram's configuration might appear as follows:
```xml
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:telegram.me</string>
<string>applinks:t.me</string>
</array>
```
For more comprehensive insights, refer to the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2).
If working with a compiled application, entitlements can be extracted as outlined in [this guide](extracting-entitlements-from-compiled-application.md).
### **Retrieving the Apple App Site Association File**
The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https://<domain>/apple-app-site-association` (or `/.well-known/apple-app-site-association`). Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process.
> **Quick enumeration from a macOS/Linux shell**
>
> ```bash
> # assuming you have extracted the entitlements to ent.xml
> doms=$(plutil -extract com.apple.developer.associated-domains xml1 -o - ent.xml | \
> grep -oE 'applinks:[^<]+' | cut -d':' -f2)
> for d in $doms; do
> echo "[+] Fetching AASA for $d";
> curl -sk "https://$d/.well-known/apple-app-site-association" | jq '.'
> done
> ```
### **Handling Universal Links in the App**
The app must implement specific methods to handle universal links correctly. The primary method to look for is [`application:continueUserActivity:restorationHandler:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623072-application). It's crucial that the scheme of URLs handled is HTTP or HTTPS, as others will not be supported.
#### **Validating the Data Handler Method**
When a universal link opens an app, an `NSUserActivity` object is passed to the app with the URL. Before processing this URL, it's essential to validate and sanitize it to prevent security risks. Here's an example in Swift that demonstrates the process:
```swift
func application(_ application: UIApplication, continue userActivity: NSUserActivity,
restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool {
// Check for web browsing activity and valid URL
if userActivity.activityType == NSUserActivityTypeBrowsingWeb, let url = userActivity.webpageURL {
application.open(url, options: [:], completionHandler: nil)
}
return true
}
```
URLs should be carefully parsed and validated, especially if they include parameters, to guard against potential spoofing or malformed data. The `NSURLComponents` API is useful for this purpose, as demonstrated below:
```swift
func application(_ application: UIApplication,
continue userActivity: NSUserActivity,
restorationHandler: @escaping ([Any]?) -> Void) -> Bool {
guard userActivity.activityType == NSUserActivityTypeBrowsingWeb,
let incomingURL = userActivity.webpageURL,
let components = NSURLComponents(url: incomingURL, resolvingAgainstBaseURL: true),
let path = components.path,
let params = components.queryItems else {
return false
}
if let albumName = params.first(where: { $0.name == "albumname" })?.value,
let photoIndex = params.first(where: { $0.name == "index" })?.value {
// Process the URL with album name and photo index
return true
} else {
// Handle invalid or missing parameters
return false
}
}
```
Through **diligent configuration and validation**, developers can ensure that universal links enhance user experience while maintaining security and privacy standards.
## Common Vulnerabilities & Pentesting Checks
| # | Weakness | How to test | Exploitation / Impact |
|---|----------|------------|-----------------------|
| 1 | **Over-broad `paths` / `components`** in the AASA file (e.g. `"/": "*"` or wildcards such as `"/a/*"`). | • Inspect the downloaded AASA and look for `*`, trailing slashes, or `{"?": …}` rules.<br>• Try to request unknown resources that still match the rule (`https://domain.com/a/evil?_p_dp=1`). | Universal-link hijacking: a malicious iOS app that registers the same domain could claim all those links and present phishing UI. A real-world example is the May 2025 Temu.com bug-bounty report where an attacker could redirect any `/a/*` path to their own app. |
| 2 | **Missing server-side validation** of deep-link paths. | After identifying the allowed paths, issue `curl`/Burp requests to non-existing resources and observe HTTP status codes. Anything other than `404` (e.g. 200/302) is suspicious. | An attacker can host arbitrary content behind an allowed path and serve it via the legitimate domain, increasing the success rate of phishing or session-token theft. |
| 3 | **App-side URL handling without scheme/host whitelisting** (CVE-2024-10474 Mozilla Focus < 132). | Look for direct `openURL:`/`open(_:options:)` calls or JavaScript bridges that forward arbitrary URLs. | Internal pages can smuggle `myapp://` or `https://` URLs that bypass the browsers URL-bar safety checks, leading to spoofing or unintended privileged actions. |
| 4 | **Use of wildcard sub-domains** (`*.example.com`) in the entitlement. | `grep` for `*.` in the entitlements. | If any sub-domain is taken over (e.g. via an unused S3 bucket), the attacker automatically gains the Universal Link binding. |
### Quick Checklist
* [ ] Extract entitlements and enumerate every `applinks:` entry.
* [ ] Download AASA for each entry and audit for wildcards.
* [ ] Verify the web server returns **404** for undefined paths.
* [ ] In the binary, confirm that **only** trusted hosts/schemes are handled.
* [ ] If the app uses the newer `components` syntax (iOS 11+), fuzz query-parameter rules (`{"?":{…}}`).
## Tools
- [GetUniversal.link](https://getuniversal.link/): Helps simplify the testing and management of your app's Universal Links and AASA file. Simply enter your domain to verify AASA file integrity or use the custom dashboard to easily test link behavior. This tool also helps you determine when Apple will next index your AASA file.
- [Knil](https://github.com/ethanhuang13/knil): Open-source iOS utility that fetches, parses and lets you **tap-test** every Universal Link declared by a domain directly on device.
- [universal-link-validator](https://github.com/urbangems/universal-link-validator): CLI / web validator that performs strict AASA conformance checks and highlights dangerous wildcards.
## References
- [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis)
- [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)
- [https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e](https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-10474](https://nvd.nist.gov/vuln/detail/CVE-2024-10474)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink