iOS URL Schemes: omg://

Presented at BSidesLV 2014, Aug. 6, 2014, 10 a.m. (30 minutes)

Have you ever clicked a phone number in Safari to get the phone app to call that store/car dealership/pizza place you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available to Apple applications as well as third party applications. Everyone uses them without noticing they exist. They are the most flexible of the imperfect methods available right now. They are, however, a source of user input that should never be trusted as safe. In this presentation, we will look at real life examples of implementations of URL Schemes that could lead to issues such as destruction of data or help a malicious person identify an iOS user. We will also look at simple ways to improve URL Scheme security for users of your apps as well as how to find URL Scheme vulnerabilities, for the ones out there who would like to help out.


  • Guillaume Ross - Senior Security Consultant - Rapid7
    Guillaume provides customers with expert advice to help define a program that fits their needs and meets their key business objectives. He has more than 10 years of experience in security and IT, and has worked with a variety of clients, including Fortune 1000 companies and organizations across various vertical industries, such as finance, mining, education, engineering, and transportation. He is known for exposing security issues related to iOS URL Schemes, including issues with iOS/Facetime.


Similar Presentations: