Security BSides Las Vegas is on the horizon and approaching fast, once again being held at the Tuscany Suites & Casino on August 5th & 6th, and so we are carrying on our tradition of running a few feature articles highlighting some of the fantastic presentations that are slated for the event.
BSidesLV, like all Security BSides events, is a security conference that is 100% volunteer event organized by-and-for the security community, and with some of the most passionate and innovative security practitioners from around the world coming to Vegas, BSidesLV is definitely the place to be.
First up is a session being delivered by Guillaume Ross (@gepeto42) with a talk titled iOS URL Schemes: omg://, which will look at real life examples of implementations of URL Schemes that could lead to issues such as destruction of data or that may be exploited by a malicious entity to identify a targeted iOS user.
The presentation will also examine some simple ways developers can improve URL Scheme security for their users, as well as strategies used to detect some URL Scheme vulnerabilities.
Ross is an independent information security consultant with over ten years of experience in IT, having worked in multiple verticals at companies of varying sizes ranging from less than 10 to over 100,000 employees addressing risk, cost and IT management efforts by recommending and implementing appropriate solutions for the banking, insurance, telecommunication, transportation and education sectors.
He holds a Certified Information Systems Security Professional (CISSP) certification, as well as being a VMware Certified Professional on vSphere 4 (VCP4), Microsoft Certified IT Professional (MCITP) as an Enterprise Administrator, and Microsoft Certified IT Professional (MCITP) as a Database Administrator.
“Have you ever clicked a phone number in Safari to get the phone app to call that store/car dealership/pizza place you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available for Apple apps as well as third party applications,” Ross said.
“Everyone uses them without noticing they exist. They are the most flexible of the imperfect methods available right now. They are also, however, a source of user input that should never be trusted as safe.”
Why? URL Schemes open up holes in applications on a platform that most people trust by default simply because Apple has a reputation for being very strict about sandboxing and approving applications before they are made available.
“But it seems developers have a natural tendency to assume that security is not a concern and they often ignore potentially malicious ways someone could send input into their apps,” Ross said. “So it is important for end-users to understand the risks involved with these schemes.”
The session is designed to appeal to security researchers who may find problems in applications related to this issue, to enterprise iOS administrators and information security teams who need to understand how these problems manifest before approving an application for use on corporate devices, and most of all for application developers who need to be aware of the potential impact of using dangerous URL schemes.
“I want developers to understand how they can improve their use of URL Schemes to provide better security, and also inspire curious researchers to go out and hunt for URL scheme related bugs so they can be mitigated,” Ross said. “My long term hope is that this presentation will help to improve awareness of this issue in the Apple community.”
As usual, whenever someone is implementing a functionality for automation or convenience, there can be a decisively negative impact on security and privacy if potential vulnerabilities are not considered a priority in development.
“As customers want more and more ‘power-user’ features for iOS apps, it is tempting for developers to implement URL Schemes too rapidly, and they forget that these schemes are subject to inputs that could be as malicious as any data input into a web application,” he emphasized.
Ross says he believes that with education and awareness efforts, developers who are implementing URL Schemes will begin to make both security and privacy as a priority, and that they will eventually shift to new techniques proposed by Apple that are more secure by nature with the release iOS 8.