PG - iOS URL Schemes: omg:// - Guillaume Ross

so big trash last name if you would to finally introduce yourself now is she lovely all right thank you so any time right good morning everyone my name is Guillaume and today we'll be talking about iOS you're all schemes and that's Apple iOS and not cisco iOS the reason why the eye is uppercase is just my font was not good so display changed with this in your slides looking incorrect is there a way to tell the other slide I do apologize I didn't I no no I mean in the presentation software yes can we tell it wasn't intentional resolution now God yeah okay so it just means that the sliding up and look quite right I can

apologize ahead on the recording you mean cuz they look good there okay if you want I can probably provide them to you in a different format after okay again I do apologize for that I just wanted to make sure that you know recording everything okay all right thank you for those testing oh there's no speakers right 12 yeah they're working alright so take to my name is guillaumin we're going to be talking about the iOS URL schemes so I already made that joke so I won't do it again so if you're an iOS user have you ever wondered how communication between application works most applications feel pretty isolated like their little islands and you do your stuff you move

to a different application you do some other stuff but in some cases a small amount of data is passed from one application to the other and magic happens and it makes you save a lot of time so really basic example that i'm going to show here is just you're using google and you're looking for bars in Las Vegas because of course you need Google to find one and as soon as you find one what you want to do is call maybe to make a reservation so this application that's just the google the google app for iOS as soon as you click on the call button is going to prompt you and say do you really want to call that place and then

you say yes and the phone call is placed so you didn't have to type in that phone number and you just save it a bit of time so what are the different methods an application can use to exchange information we got a few there's the cloud and when I say the cloud that only in iCloud because I cloud is really sandboxed so I call these goods for sharing data between the same application on multiple devices but it's not good to share data between different applications for now there's the pasteboard which is similar to a clipboard on iOS it's not really meant for interrupt communications then we got hacks what I mean by hats is stuff

that's not meant to be used for this but that some applications have tried in the past for example storing contacts and reminders as configuration data so multiple apps could read them that works fine except Apple is going to pull the application from the app store as soon as they notice so that's no good then we got the opening menu I'm sure a lot of you do that like you email files to yourself then you do open in a Dropbox and do that and then you end up with multiple copies of the same file so that's that's not really good either we have airdrop only good to send data between two devices not between two applications so what we're left with and

this is clearly a case of using whatever we have available is URLs so today we'll see what these URLs will do how they work I'll show you some good examples and bad examples of how to use them ideas for using them more securely and I'll show you how you can find some more vulnerabilities in these you all schemes so what they do is implement very basic communication between applications so you have a source application you have a trigger a trigger could be a user clicking a button that says send this to my to-do list or send this to my notes you got the destination app that receives the data handles it and that in just enable the workflow so how does the

source application know what the destination application is applications get installed whenever you install an application directly on iOS device or to iTunes it's going to register its handler a handler is basically like HTTP column / / in a URL except the applications can register pretty much anything that they want so are these registration registered handles are unique well not really there's a few you can't ever reuse these are the basic schemes that just come pre-installed on iOS no application can reuse these and that's one of the reasons why you can't change your default mail browser on iOS because you can't just take that mail scheme and use it for yourself so these are pretty simple the mail one is just like on a PC

it's male 2 so you click on a link it pre populates an email the telephone one which we saw before is just passing a phone number to the telephone application SMS works the same and it works with I message as well so these are all pretty simple then we got some slightly more complicated ones like maps if you have a restaurant for example you could have a button that would send a user to the Maps app and trigger the directions to that restaurant iTunes as one has anyone ever ended up on a not so kind of shady looking website that just redirected you to the App Store so you would buy like a crappy flappy bird

clone or something weird like that that's what is used for that to use the iTunes URL scheme to do that and they do that because you get money from all the purchases that you make on the App Store and then we got facetime which we will see more details later on that can be used for audio and video calls then there's some even more advanced use cases that enable two-way communication so what we see here is an application called day one it's a diary application that does not really encrypt up your note so what you want to do with that is obviously you want to store that in dropbox right so this application knows how Dropbox works and in the settings

you will see there's an option to enable Dropbox synchronization so as soon as I click on that Dropbox button it's going to send me to dropbox and it's drop box appears it's going to ask me do you really want to grant this day one application access to this folder and as soon as I click allow Dropbox knows how to send the information back everything is enabled I didn't have to go to dropbox com and give permissions or do anything special so as a user that was fantastic that was easy that was fast was that secure well different story so as we do automated workflows like that what can happen is over automation so the example I'm going to show here this

application is just a launcher so these icons that you see they're just URLs there's nothing funky going on in this application so as I click that you'll see really quick a calendar application flashing and then I'm on the b-sides website so what happened I go back to my calendar and I have something that tells me I need to crash the Nike party because why does Nike have a party at blackhat that's just weird how did that work ok so now I'll click the real link and again it flashes really fast I'm in Safari what happened I go back to my calendar now I got to so it just created an item in my calendar and this is

fantastical a pretty popular third-party a calendar for iOS and I saw it flash by but no user interaction was really needed and why is that well that's because the developer when he made this application added kind of an evil bit and that evil bit is add equals 1 when you add that to whatever data you sent to it it's not going to ask for anything it's just going to do it so ok that's just a calendar that's not really dangerous it could be annoying if I set it to wake you up at 5am in the morning tomorrow I'll did I send that back to the b-sides website it's because the application supports a standard called X

callback URL that's just a standard that developers have been using to send data to one application and then receive the response back so you can have more advanced workflows so the attack surface grows the more stuff we add the more potential for something to go wrong so this example which I borrowed from a website called Max Teresa's just to show you how big the attack surface can get with these things so what we see right now is just a standard iOS browser someone is just selected a piece of text is going to click on a bookmark in his in his book marks which is just a piece of JavaScript code this JavaScript code took that text and trigger the URL

scheme for another application which is a notes application called drafts this application runs Python that's what you just stop there because yes you can actually execute some other languages on iOS now once that application is done it triggers a different URL scheme that sends that data to a to-do app where the guy can put this URL add a little comment and when he's done he's just going to say add and it's going to ask him do you want to go back to your browser so in this example we had a browser JavaScript code a notes application Python code a to-do list and then back to the browser too so there's a lot of potential for these things to

go wrong so the first person to find things going wrong with these is an attached and Johnny in 2010 he found an issue with skype that you could use to place a phone call phone call with skype with no user interaction and he posted about that on his blog and on sands website but sky back then was one of the very few applications that use that so we didn't really hear more about that since 2010 and the most interesting thing he found and you can't see it on that screen shot right there so here's a code he found that Safari will execute any URL scheme automatically if it's located within an iframe an inline frame

so all this stuff i just i was showing before could be triggered as you're browsing the web site and that's the second part that these kind of crappy websites use to send you back to the app store so I figured what can I do with that that would be a little bit more evil than that so I looked at all the applications I had on my phone and i found this first one the application is called by word it's a really good text editor for mac ipad and iOS and it had a feature to overwrite a file using a URL scheme that's not a weird so it looked like this by doing this you would

replace the file important txt in iCloud with the text for the laws and the previous file has been overwritten and unlike Dropbox iCloud doesn't really let you go back to a previous version so that's permanent data loss for most users and iCloud is pretty flat so guessing that someone might have a file called no txt or to txt or important txt doesn't sound that hard so I reported the issue to the vendor they acknowledged within a few weeks a patch was out but the patch is just there's a warning sign now so it basically goes are you sure you really want to destroy your data and then if you say yes well then it just does it so I guess it's a

lot better than it was before but not much so the next day I looked at some other applications I had on my phone and tweet bot is one of the most popular iOS sweater clients and it has a scheme that allowed you to follow a user so my first thought was oh my god all my friends are going to be falling Justin Bieber soon and that's the exact code so I notified the vendor they acknowledge that this was a security issue it took them a little while they released a paid upgrade which fixed the issue and any went back and it did fix the the previous version so that took a while and from a security perspective that's

not the end of the world I mean you just followed someone you can unfollow them so why is it so bad well it's really bad for your privacy because Twitter can send you notifications when someone is just started following you so even if you unfollowed them they know what your Twitter account is and if you mix that with the fact that Safari will execute these automatically that's a really good way to identify a website user and D anonymize them so here's what it actually looked like so what we see here is a phishing email it just says something about a Canadian mayor smoking crack so you should know it's fishing right that's so far-fetched so I'm just

going to highlight the video link just it just shows that the URL I'm clicking on is a perfectly normal valid URL and as soon as I click it you'll see Safari flashing really fast with a troll face and then I'm sent to tweet bot and at the top and there's a local crapping issue here but you can see you are not following Justin Bieber and that happens really fast and there's nothing you can do to stop it once it starts so I just unfollowed him and fun fact I tested that like hundreds of times and I never got banned by Twitter for it I seen seem to be weird use case and then I thought

how could I make this even worse automated maybe could I use ad networks and embed this these inline frames in there and get a lot of people to follow me or follow someone else that would be pretty evil but I figured there's not enough people that use tweetbot I know a lot of people that do that but that's just because I know a lot of geeks most people just use the standard Twitter application so that wasn't that wasn't what I really was looking for so I get back to my phone and I look at the applications i have and i figured what's more popular than tweetbot that i have that could be used for this and i found

facetime pretty much everyone who's got an iOS device uses facetime right the issue is really similar to the tweet bought one so it's a really important privacy risk because it affects most iOS users so what happened is FaceTime used to be video only in iOS 6 in previous versions and they added FaceTime audio in iOS 7 the video calls would ask you for confirmation before placing it but the audio calls did not I don't know why and I also don't know why they called it FaceTime audio that's a really stupid name you should have called it voice time which would be much better so this inline frame on any website would make you call me that's my email address

that's my iCloud account please don't hack it so that would call me and as soon as the call is placed I see the color ID information so if you're using your iCloud email address i see that if you're just using your phone number for facetime i see that so if there's anyone that's got i OS 7 2706 or that's got the latest version and has chrome well demo gods plus AT&T roaming equals two percent chance of success but if you browse there during the top that's probably going to call my phone which is on you so we can do a small live demo but I got a video of what it looked like so you can see my wonderful office on

the right on the left is my iPad so I'm just browsing a website I'm just clicking a link i know you don't you don't see the text but it's not really important and as soon as I click on that link the recording stops on my iPad because it doesn't let you record when you're placing a call and on my phone I see my name I would see the email address or the phone number but I have myself in my contacts which might sound weird but it's just so i can send it to other people and it happens really fast even if you hang up your caller ID info is already there so I looked at Apple secure coding guide

and what did it say about these you're all schemes they say whether you make the comments public or not hackers will try sending commands to your application and I think that's like the history of the world you just made something someone is trying is going to try to break it and then what did they do they fixed Safari so Safari prompts you before calling someone but there's a whole bunch of other applications that are browsers on iOS and the issue is not fixed for these guys because it's not the facetime application that's been fixed so i looked at the browser i had on my phone the browser's i had on my phone and i had a few that i use quite a

bit so one password really good guys they're like yeah this is really bad they fixed it super fast the second one is onion browser it's an official tor browser for iOS not the bad one that was malware the the real one so I spoke to the developer it was not impacted and I said eight did you think about this is that on purpose they said no I didn't have time to implement the external URL scheme stuff but when I do I'll make sure that we're really careful with what external applications we launched because the user is in tour only in the browser because its iOS so it doesn't get done at the network at the system

level and Google said that's not really a chrome problem that's more like a chromium problem I don't really care that there's an issue maybe someone should fix it and then they sent me to a tread where people say this can't really be used maliciously so they don't want to add a warning I think I proved it could be used maliciously but whatever they're kind of right that Apple should fix facetime then i looked at the twitter application the real twitter application which has a built-in browser like so many other applications do so if you want to know who a twitter user is just send him a link that's got this inline frame that i showed before so as

soon as he's going to click on that link the call is established and you know who he is so if you know too if you need to know someone's phone number it's really really useful and that's going to work in every application that's got you I webs you and WebKit pretty much maybe it's going to be fixed eventually we'll see then back to the seeker coding guide by Apple they say don't implement useless features which sounds really basic right don't accept arbitrary URLs and pads because you could really easily have Pat reversal issues with these URL schemes they also say watch out for buffer overflows because all iOS applications in the store right now they're all objective c so there's big

potential for buffer overflows there and apples not going to protect you if your application receives data using these schemes they're just going to send a data to your application so you can't rely on them protecting you don't pass these two queries because you're going to end up with query injection in your application and that would be really bad and they also say watch out for social engineering pretty much everything I've just shown is just that I mean there's nothing technical in these issues it's just like a logical flaw so don't implement useless features developers on iOS I don't know they seem to really like these you're all schemes and they use them in a weird way so this is P

calc a really popular third-party calculator for iOS that does rpn and is pretty awesome so I'm just typing in some stuff and then I browser page that does clear all on my calculator why would I ever need a website to do clear all on my calculator and that's not dangerous that's just that's just dumb then I found another one and if you have issues with flashing lights I would recommend that you do not look for the next 20 seconds so there's an app that's a flashlight application that's got a scheme to trigger a strobe light what's the use case for that like you really need to throw down a party like right now using a link on the website I don't

know what the point is but I spoke about Twitter I spoke about I message that's all old stuff right the new hotness is yo so I looked at yo really secure really useful application and everyone's using you all right so I just loaded up it says invite your friends because that would be so much better I'm like yeah I don't think so and then I go browse this website which automatically sends a yo on my behalf because they just accept that and they do it so I just send it to myself for purposes of the demonstration and i just sent to you so if you need to do naanum eyes anyone who's using yo that's just one of the many ways you can

do that and what's really dumb is it's so basic that's the URL scheme for it you just put someone's username and when they browse it just sends a yo and there's a guy who's doing two-factor authentication using yo so after all odds we now have audio and it's kind of a joke but at the same time some people are like yeah this is cool we should use that for two factor yeah don't do that then I started looking at some other ways you could use these 2d anonymize people so what you see on the right is my mac i'm logged into google apps i'm creating a google docs that i made public on the left you

see my iphone on my iphone i'm not logged into google in my browser so what's interesting is you can see these things as persistent CSRF attacks right because people don't log out from applications no one logs out from their Dropbox application on their phones that doesn't make any sense so what I did right here is instead of sending the link to the public document i sent a link that uses the URL scheme for the google drive in a google docs application on iOS so instead of opening it in the browser it opened it in my application where i'm logged in so on the right it's really small but what you see in green is my name so again another

way you can know who i am if I'm using iOS so what I would say if you're a developer have you considered that this could be completely useless has anyone in this room really implemented like customized workflows using these you're all schemes there's me and I'm like a big apple nerd so don't do that if no one is going to use it or at least give the user the option of not enabling that and leave that off by default you should just have an option do you want to enable these third-party applications to send data to your application yes if someone is enough of a geek to use this they will find your setting if you need

full automation in the flow for example the day one example I showed where it just sends you to dropbox and in dropbox sends you back have you considered using a key and what i mean by a key i mean like the cheapest crappiest CSRF like token ever or a password so just tell the user to set up a password that will be passed in all of these URLs so that would defeat pretty much all of the web attacks that I've demonstrated because that's that's not really targeted so even if it's just one two three four five six as the password this is really hard to brute-force over the web page so that would be pretty good and most of all

don't rely on the browser to protect you against this even if it's your own OS I think Apple should know that they've been approving applications in the app store that have browsers in them so how do you know an application has a URL scheme that you might want to exploit what you can do is download the application on your Mac this can work on pieces well just extract it show the package content and find the info.plist file and that's what it looks like so what we see right here is there's a setting that's declare that says CF bundle URL schemes and then you know the application has a scheme but you don't really know what the scheme can do you

know it's there so then you can start messing with it but if you want to save a lot of time by this application Launch Center pro that's the launcher I was showing earlier this application has information about pretty much every application in the app store because everyone wants to be featured in that application so in one plist file that you can find the same way by extracting the application you have that same information but for thousands of application and I'm serious if you look at that for five to ten minutes you will probably find a vulnerability in an iOS application that just has some crazy schemes that do crazy stuff there's other attacks you could do with that

buffer overflow that I mentioned before if you want to try buffer overflows using URL schemes I really recommend that you google Patrick Waldo vartals talk at source Boston it's available on the web he gave a lot of good tips on how to reverse engineer iOS applications and that would be really useful for you and daniel meyer has a tool called gid be that's on github it automates so many black box pentesting workflows for iOS one of which is fussing these URL schemes so if you have a jailbroken iphone it's just going to fuss that run the application no error code kill the application and try over and over until you find a buffer overflow or a

different kind of issue another thing that I want to try is sniffing I mentioned earlier that these royal schemes are not unique except for the default ones what does that mean that means that if you know an application has registered for example to do column / / you can make your own application that's going to register the same stuff and the latest application that was installed is going to receive that data so if you know the application is sending sensitive data doing that maybe you just want to buy the source code to one of these crappy flappy bird clones distribute it but when you receive that data you just send it to your server and then no one no one knows

what happened and you just stole some data from iOS users Apple will probably pull your application but that's going to take a while before I finish a small note on iOS 8 it's going to introduce a lot of new methods for inter application communication which are probably way more secure but the attack surface is going to be huge and one thing to remember is the old crappy methods will still exist tomorrow morning iOS 8 is released this is all still going to exist for a long time so before I finish for questions I'd like to say give a special thanks to the b-sides mentor program especially my mentor Brennan who helped me make this presentation much

better and I'd like to thank you for your time by showing you an actual really useful you all scheme workflow that allows you to google for animated gifs yeah i pronounce it gifts and i messaged them to your friends automatically so that's automation for you so thank you for your time and i think we still have a few minutes for questions yes yeah it is they kind of confirmed that they were looking at it so I'm hoping it's going to be fixed soon when I told him about the facetime issue they were working really hard on iOS 7 which was a major release so it took time for them to implement the first fix but I'm confident they will

they will do something about that we'll see ya safari in 706 is broken 7.1 is fine but like if you're using Chrome or you're still vulnerable to that even if you're in incognito mode right because chrome still sends you to external applications yes

yes yes so actually you're right facetime is broken but if you're a chrome user you're vulnerable to that just making it clear that face time should be fixed another one yes yeah it it's kind of random like I tried to test and to be sure it's always the latest one but in some cases it was the first one it it's maybe it's random maybe it's random but it's not always the first one and and some people make like paid upgrades for their application tweed but is a good example tweetbot as its own scheme and when they released a new version it was a separate app that also registered the same scheme and if you had both apps on your phone it was just

crazy was always going to the old one and it was going to the new one I don't think there's any logic behind it or there wasn't in iOS 7.0 6 when I tested it yes yeah well i think the responsibility is and the developers hands right if you if you're going to use this you need to be careful the new methods that Apple is going to provide in iOS 8 will actually be way more powerful even for at a functional level so I think developers will start using the new stuff so this year we should see less and less your schemes being implemented in applications and it's probably going to you know slowly die down yes but if they did that that would

break a lot of automated workflows which only a small fraction of users do but there's there's a few people trying to use like iPads to replace laptops and day-to-day application so until iOS 8 through it was such I don't think Apple ever intended that to become so popular but because there was not nothing else it became popular and now they're kind of stuck with the problem because he can't just kill it so we'll see you can also do white list if you have an application that should only receive data from one other application you could do that but unless you really know exactly what your users are going to use it for that that's not

really a usable solution we still have time for one more question I think they can still be useful for really basic stuff like the tough on one and who knows if Apple would deprecated that in maybe iOS 9 ko's Apple is usually not shy about removing older features so we'll see it could happen could happen any other questions all right thank you