Cover Custom URL Schemes and Deep Links in a unique IPC control? #581
-
|
As noticed in https://github.com/OWASP/owasp-mstg/pull/1805/files#r471915771, MSTG-PLATFORM-3 is about Custom URL Schemes, maybe we should consider changing it to Deep Linking since Custom URL Schemes is so to say a subset of Deep Links. At the end we're telling the same story on both platforms: you have custom/unverified and verified links. The recommendation should be to use more of verified links (e.g. App Links on Android, Universal Links on iOS) and always verify the input data. But this shouldn't be restricted to "Custom URL Schemes" should be: Interpretation:
Next, in theory, this still collides with the following requirement as deep links/custom URL schemes can be considered IPC facilities. An app (including the browser/email apps including links to apps, i.e. deep linking) can trigger actions in other apps via a link with parameters. Interpretation is the same as above. I tend to think that we have 2 options: put all together to this requirement or if not, each IPC mechanism would deserve an own requirement, but that would make everything more complicated to my taste. Keep it simple :) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
We're proposing a new unified MASVS control for IPC. The specifics will be handled by the MSTG via tests. |
Beta Was this translation helpful? Give feedback.
We're proposing a new unified MASVS control for IPC. The specifics will be handled by the MSTG via tests.