Merge pull request #1142 from HackTricks-wiki/research_update_src_mobile-pentesting_ios-pentesting_ios-universal-links_20250717_014015

carlospolop · web-flow · commit 61f4e216284d · 2025-07-17T16:01:58.000+02:00
Research Update Enhanced src/mobile-pentesting/ios-pentestin...
diff --git a/src/mobile-pentesting/ios-pentesting/ios-universal-links.md b/src/mobile-pentesting/ios-pentesting/ios-universal-links.md
@@ -26,7 +26,19 @@ If working with a compiled application, entitlements can be extracted as outline
 
 ### **Retrieving the Apple App Site Association File**
 
-The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https://<domain>/apple-app-site-association`. Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process.
+The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https://<domain>/apple-app-site-association` (or `/.well-known/apple-app-site-association`). Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process.
+
+> **Quick enumeration from a macOS/Linux shell**
+>
+> ```bash
+> # assuming you have extracted the entitlements to ent.xml
+> doms=$(plutil -extract com.apple.developer.associated-domains xml1 -o - ent.xml | \
+>        grep -oE 'applinks:[^<]+' | cut -d':' -f2)
+> for d in $doms; do
+>   echo "[+] Fetching AASA for $d";
+>   curl -sk "https://$d/.well-known/apple-app-site-association" | jq '.'
+> done
+> ```
 
 ### **Handling Universal Links in the App**
 
@@ -78,16 +90,34 @@ func application(_ application: UIApplication,
 
 Through **diligent configuration and validation**, developers can ensure that universal links enhance user experience while maintaining security and privacy standards.
 
+## Common Vulnerabilities & Pentesting Checks
+
+| # | Weakness | How to test | Exploitation / Impact |
+|---|----------|------------|-----------------------|
+| 1 | **Over-broad `paths` / `components`** in the AASA file (e.g. `"/": "*"` or wildcards such as `"/a/*"`). | • Inspect the downloaded AASA and look for `*`, trailing slashes, or `{"?": …}` rules.<br>• Try to request unknown resources that still match the rule (`https://___domain.com/a/evil?_p_dp=1`). | Universal-link hijacking: a malicious iOS app that registers the same ___domain could claim all those links and present phishing UI. A real-world example is the May 2025 Temu.com bug-bounty report where an attacker could redirect any `/a/*` path to their own app. |
+| 2 | **Missing server-side validation** of deep-link paths. | After identifying the allowed paths, issue `curl`/Burp requests to non-existing resources and observe HTTP status codes. Anything other than `404` (e.g. 200/302) is suspicious. | An attacker can host arbitrary content behind an allowed path and serve it via the legitimate ___domain, increasing the success rate of phishing or session-token theft. |
+| 3 | **App-side URL handling without scheme/host whitelisting** (CVE-2024-10474 – Mozilla Focus < 132). | Look for direct `openURL:`/`open(_:options:)` calls or JavaScript bridges that forward arbitrary URLs. | Internal pages can smuggle `myapp://` or `https://` URLs that bypass the browser’s URL-bar safety checks, leading to spoofing or unintended privileged actions. |
+| 4 | **Use of wildcard sub-domains** (`*.example.com`) in the entitlement. | `grep` for `*.` in the entitlements. | If any sub-___domain is taken over (e.g. via an unused S3 bucket), the attacker automatically gains the Universal Link binding. |
+
+### Quick Checklist
+
+* [ ] Extract entitlements and enumerate every `applinks:` entry.
+* [ ] Download AASA for each entry and audit for wildcards.
+* [ ] Verify the web server returns **404** for undefined paths.
+* [ ] In the binary, confirm that **only** trusted hosts/schemes are handled.
+* [ ] If the app uses the newer `components` syntax (iOS 11+), fuzz query-parameter rules (`{"?":{…}}`).
+
 ## Tools
 
 - [GetUniversal.link](https://getuniversal.link/): Helps simplify the testing and management of your app's Universal Links and AASA file. Simply enter your ___domain to verify AASA file integrity or use the custom dashboard to easily test link behavior. This tool also helps you determine when Apple will next index your AASA file.
+- [Knil](https://github.com/ethanhuang13/knil): Open-source iOS utility that fetches, parses and lets you **tap-test** every Universal Link declared by a ___domain directly on device.
+- [universal-link-validator](https://github.com/urbangems/universal-link-validator): CLI / web validator that performs strict AASA conformance checks and highlights dangerous wildcards.
 
 ## References
 
 - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis)
 - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)
+- [https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e](https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e)
+- [https://nvd.nist.gov/vuln/detail/CVE-2024-10474](https://nvd.nist.gov/vuln/detail/CVE-2024-10474)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
