From f4323a380161dcbe25a1682c133648fc1962f300 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 17 Jul 2025 01:44:12 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/mobile-pentesting/ios-pentesti... --- .../ios-pentesting/ios-universal-links.md | 38 +++++++++++++++++-- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/src/mobile-pentesting/ios-pentesting/ios-universal-links.md b/src/mobile-pentesting/ios-pentesting/ios-universal-links.md index 6e97b255a9d..3ece177ae6f 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-universal-links.md +++ b/src/mobile-pentesting/ios-pentesting/ios-universal-links.md @@ -26,7 +26,19 @@ If working with a compiled application, entitlements can be extracted as outline ### **Retrieving the Apple App Site Association File** -The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https:///apple-app-site-association`. Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process. +The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https:///apple-app-site-association` (or `/.well-known/apple-app-site-association`). Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process. + +> **Quick enumeration from a macOS/Linux shell** +> +> ```bash +> # assuming you have extracted the entitlements to ent.xml +> doms=$(plutil -extract com.apple.developer.associated-domains xml1 -o - ent.xml | \ +> grep -oE 'applinks:[^<]+' | cut -d':' -f2) +> for d in $doms; do +> echo "[+] Fetching AASA for $d"; +> curl -sk "https://$d/.well-known/apple-app-site-association" | jq '.' +> done +> ``` ### **Handling Universal Links in the App** @@ -78,16 +90,34 @@ func application(_ application: UIApplication, Through **diligent configuration and validation**, developers can ensure that universal links enhance user experience while maintaining security and privacy standards. +## Common Vulnerabilities & Pentesting Checks + +| # | Weakness | How to test | Exploitation / Impact | +|---|----------|------------|-----------------------| +| 1 | **Over-broad `paths` / `components`** in the AASA file (e.g. `"/": "*"` or wildcards such as `"/a/*"`). | • Inspect the downloaded AASA and look for `*`, trailing slashes, or `{"?": …}` rules.
• Try to request unknown resources that still match the rule (`https://domain.com/a/evil?_p_dp=1`). | Universal-link hijacking: a malicious iOS app that registers the same domain could claim all those links and present phishing UI. A real-world example is the May 2025 Temu.com bug-bounty report where an attacker could redirect any `/a/*` path to their own app. | +| 2 | **Missing server-side validation** of deep-link paths. | After identifying the allowed paths, issue `curl`/Burp requests to non-existing resources and observe HTTP status codes. Anything other than `404` (e.g. 200/302) is suspicious. | An attacker can host arbitrary content behind an allowed path and serve it via the legitimate domain, increasing the success rate of phishing or session-token theft. | +| 3 | **App-side URL handling without scheme/host whitelisting** (CVE-2024-10474 – Mozilla Focus < 132). | Look for direct `openURL:`/`open(_:options:)` calls or JavaScript bridges that forward arbitrary URLs. | Internal pages can smuggle `myapp://` or `https://` URLs that bypass the browser’s URL-bar safety checks, leading to spoofing or unintended privileged actions. | +| 4 | **Use of wildcard sub-domains** (`*.example.com`) in the entitlement. | `grep` for `*.` in the entitlements. | If any sub-domain is taken over (e.g. via an unused S3 bucket), the attacker automatically gains the Universal Link binding. | + +### Quick Checklist + +* [ ] Extract entitlements and enumerate every `applinks:` entry. +* [ ] Download AASA for each entry and audit for wildcards. +* [ ] Verify the web server returns **404** for undefined paths. +* [ ] In the binary, confirm that **only** trusted hosts/schemes are handled. +* [ ] If the app uses the newer `components` syntax (iOS 11+), fuzz query-parameter rules (`{"?":{…}}`). + ## Tools - [GetUniversal.link](https://getuniversal.link/): Helps simplify the testing and management of your app's Universal Links and AASA file. Simply enter your domain to verify AASA file integrity or use the custom dashboard to easily test link behavior. This tool also helps you determine when Apple will next index your AASA file. +- [Knil](https://github.com/ethanhuang13/knil): Open-source iOS utility that fetches, parses and lets you **tap-test** every Universal Link declared by a domain directly on device. +- [universal-link-validator](https://github.com/urbangems/universal-link-validator): CLI / web validator that performs strict AASA conformance checks and highlights dangerous wildcards. ## References - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis) - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8) +- [https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e](https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e) +- [https://nvd.nist.gov/vuln/detail/CVE-2024-10474](https://nvd.nist.gov/vuln/detail/CVE-2024-10474) {{#include ../../banners/hacktricks-training.md}} - - -