iOS vs Android: Security of Inter-App Communication

Abstract: Android and iOS are the world leading mobile operating systems in today’s growing market of handheld devices. Third-party applications are an important aspect of these systems but can also provide an attack-vector for exploiting other installed applications. Previous studies have shown that the Android inter- app communication (IAC) mechanism Intent can be used for causing harm to other apps. In contrast, research involving iOS app communication have been sparse because of the closed nature of the iOS ecosystem. One of the previous studies showed the possibility of using Android Intents for hijacking and forging payments between a company application providing payments via the Swedish payment application Swish and their App2App API. This study extends this previous work by creating an artifact that performs the same exploit on the iOS platform. iOS uses a URL-scheme for opening and sending data between applications. This mechanism is used for creating the communication between apps and finding out if payment information sent via the URL- scheme can be hijacked instead of arriving at the intended Swish application. The experiences drawn from the exploit were used in combination with the previous work to find differences between the IAC mechanisms. Finally, a literature study is presented with the latest mitigation techniques for IAC vulnerabilities.