{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Universal links offer a seamless redirection experience to users by directly opening content in the app, bypassing the need for Safari redirection. These links are unique and secure, as they cannot be claimed by other apps. This is ensured by hosting a apple-app-site-association
JSON file on the website's root directory, establishing a verifiable link between the website and the app. In cases where the app is not installed, Safari will take over and direct the user to the webpage, maintaining the app's presence.
For penetration testers, the apple-app-site-association
file is of particular interest as it may reveal sensitive paths, potentially including ones related to unreleased features.
Developers enable Universal Links by configuring the Associated Domains in Xcode's Capabilities tab or by inspecting the .entitlements
file. Each domain is prefixed with applinks:
. For example, Telegram's configuration might appear as follows:
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:telegram.me</string>
<string>applinks:t.me</string>
</array>
For more comprehensive insights, refer to the archived Apple Developer Documentation.
If working with a compiled application, entitlements can be extracted as outlined in this guide.
The apple-app-site-association
file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at https://<domain>/apple-app-site-association
. Tools like the Apple App Site Association (AASA) Validator can aid in this process.
The app must implement specific methods to handle universal links correctly. The primary method to look for is application:continueUserActivity:restorationHandler:
. It's crucial that the scheme of URLs handled is HTTP or HTTPS, as others will not be supported.
When a universal link opens an app, an NSUserActivity
object is passed to the app with the URL. Before processing this URL, it's essential to validate and sanitize it to prevent security risks. Here's an example in Swift that demonstrates the process:
func application(_ application: UIApplication, continue userActivity: NSUserActivity,
restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool {
// Check for web browsing activity and valid URL
if userActivity.activityType == NSUserActivityTypeBrowsingWeb, let url = userActivity.webpageURL {
application.open(url, options: [:], completionHandler: nil)
}
return true
}
URLs should be carefully parsed and validated, especially if they include parameters, to guard against potential spoofing or malformed data. The NSURLComponents
API is useful for this purpose, as demonstrated below:
func application(_ application: UIApplication,
continue userActivity: NSUserActivity,
restorationHandler: @escaping ([Any]?) -> Void) -> Bool {
guard userActivity.activityType == NSUserActivityTypeBrowsingWeb,
let incomingURL = userActivity.webpageURL,
let components = NSURLComponents(url: incomingURL, resolvingAgainstBaseURL: true),
let path = components.path,
let params = components.queryItems else {
return false
}
if let albumName = params.first(where: { $0.name == "albumname" })?.value,
let photoIndex = params.first(where: { $0.name == "index" })?.value {
// Process the URL with album name and photo index
return true
} else {
// Handle invalid or missing parameters
return false
}
}
Through diligent configuration and validation, developers can ensure that universal links enhance user experience while maintaining security and privacy standards.
- GetUniversal.link: Helps simplify the testing and management of your app's Universal Links and AASA file. Simply enter your domain to verify AASA file integrity or use the custom dashboard to easily test link behavior. This tool also helps you determine when Apple will next index your AASA file.
- https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis
- https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.