• Custom URL schemes allow apps to communicate via a custom protocol

• App must declare support for the scheme and handle incoming URLs that use the scheme

• Once the scheme is registered other apps can open the app that registered the scheme and pass parameters

• If two apps register the same URL scheme, and you delete the app that gets launched, the other won't launch until rebotting the iOS device

• Defined in apps info.plist file
• CFBundleURLTypes
  • Array of dictionaries each of which defines a URL scheme the app supports
• CFBundleURLName
  • String containing the name of the URL scheme, for example com.myurl.com
  • Reverse DNS string is best practice
• CFBundleURLSchemes
  • Array of strings containing the URL scheme names
  • EG http, mailto,tel,sms etc

scheme://cfbundleidentifier/string/?paramater=value

myapp://com.myurl.com/albumName?name=Infest

myapp://com.myurl.com/albumName?index=1

• http
• https
• mailto
• tel
• sms
• facetime
• facetime-audio

• Check the info.plist for
  • CFBUNDLEURLTYPES
  • CFBUNDLEURLNAME
  • CFBUNDLREURLSCHEME
• Open the scheme in Safari
  • How does the app behave?
    • Probably need more information to get it to work
• Run strings on the application

strings decrypted.app | grep "scheme://"

• Search in Hopper/IDA for labels such as OpenURL
  • Use Pseudocode function to investigate the method

• Depends on the app
• How does the app read data from the URL?
• What does it do with the data?
• Does the application prompt before an action is performed?
• Does it verify the origin source?