top | item 27503011

(no title)

I think mankyd knew that. I'm thinking the exploit would be installing a bad app that enforces redirects for mybank.com, youbank.com, usabank.com, ukbank.com, allbanks.com to their malicious app. Then the app just knows how to pretend to be the login screen for all these apps and bam you get a whole ton of passwords. The key thing would be for the app not to show the url of their malicious site.

discuss

danShumway|4 years ago

Phones already do this though, don't they? I think Android at least allows redirecting links to apps, and I'm pretty sure Mac does as well.

Is there a bigger threat model people are worried about with extending the app schema to include normal URLs as well? Or do you just think the problem would be worse if the scope was broader?

Trying to figure out where people are drawing the line on this.

machello13|4 years ago

On iOS and macOS (I can't speak to Android but I'm fairly sure it's a similar mechanism), you're required to prove that a domain and app are linked before allowing URLs to open in your app. You do this by hosting a JSON file on your website that points to your app and specifies which kind of URLs should be redirected. E.g. see https://apple.com/.well-known/apple-app-site-association for how Apple.com does it.

This prevents malicious third-parties from opening bank.com in their own app, but of course it also prevents useful things like using a custom YouTube app.

ivanmontillam|4 years ago

Yes, but phones do have curated mobile app stores. Not the case with desktop computers, so it's dangerous.