CWE-939
Improper Authorization in Handler for Custom URL Scheme
AI Translation Available
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
Status
incomplete
Abstraction
base
Affected Platforms
Mobile
Extended Description
AI Translation
Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Technical Details
AI Translation
Common Consequences
access control
other
Impacts
gain privileges or assume identity
varies by context
bypass protection mechanism
Detection Methods
automated static analysis
Potential Mitigations
Phases:
architecture and design
Descriptions:
•
Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information.
When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.