Sandboxing and URL Schemes

Josh Centers at TidBITS:

But with Twitter's recent announcement of App Graph, another explanation for the company's desire to dominate the user experience has appeared: Twitter wants to collect personal information from your devices. App Graph will use the official Twitter app to gather the list of apps installed on your iOS devices and send that list back to Twitter. (It seems to do this by scanning a list of x-callback-urls — a method of inter-app communications developed before iOS 8's Extensibility functions.)

This motivated me to submit Radar 19156479 to Apple:

Product: iOS

Classification: Security

Reproducibility: Always

Title: Sandboxing and URL Schemes

Description: The iOS app sandbox prevents an app from directly accessing a list of other installed apps. The ability to determine whether the device has an app that responds to a given URL scheme circumvents that protection. There are good reasons for this. An app should not offer to open Google Maps on a device that does not have Google Maps. That said, deriving a list of all installed apps and sending it somewhere seems like something the app sandbox should make impossible.

Steps to Reproduce:
1. Attempt to write an iOS app that, without the user's knowledge or consent, gets a list of all apps installed on the device and sends it to your server.

Expected Results:
I would expect to find this impossible.

Actual Results:
I can derive a reasonably complete list of installed apps using a list of URL schemes such as the one available at https://gist.github.com/genadyo/295a5e8f0d743f57137f. I can iterate through the list of URL schemes, calling [[UIApplication sharedApplication] canOpenURL:] for each URL scheme to determine whether an app responding to that URL scheme is installed.

Configuration:
N/A

Version & Build:
iOS 8.1.1 (12B435)

Additional Notes:
I do not have a perfect technical solution to this problem. At bare minimum, I think App Review should reject apps that abuse the canOpenURL: call.

Calls to canOpenURL: and openURL: could require an entitlement, perhaps with a specific list of URL schemes. App Review could require developers to explain how and why they need to open URLs with those schemes in order to function properly.

If you agree that this is a weakness that Apple should address, please consider filing a duplicate of this report.