Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Zashi-iOS audit] Issue B: zcash: links can be intercepted by other apps on the device #1093

Closed
daira opened this issue Mar 1, 2024 · 1 comment · Fixed by #1105
Closed

[Zashi-iOS audit] Issue B: zcash: links can be intercepted by other apps on the device #1093

daira opened this issue Mar 1, 2024 · 1 comment · Fixed by #1105
Labels
I-SECURITY Problems and improvements related to security. Zashi 1.0
Milestone
iOS Zashi 1.0

Comments

@daira
Copy link
Contributor

daira commented Mar 1, 2024

From @defuse's draft report:

Severity: Medium

zashi-ios includes code for handling deeplinks through the URL scheme “zcash://”. URL scheme handlers can be registered by other apps on the device, which leads to two potential attacks.
First, there is an attack on privacy. Another app that has registered for zcash: will be able to see when such URLs are clicked, and see their contents. If these are used for payment request URIs, the other app will learn the embedded destination address and amount.
Second, there is an attack on integrity, which could lead to theft of funds if the user is not careful. An app could register a handler for zcash: and then when a payment URI is clicked, it could modify the destination address or amount. The address and amount are displayed to the user before generating the transaction, but the user might not notice that the address is different from what was in the URL they clicked, and their funds could be stolen.
I recommend disabling zcash: deeplinks entirely for the Zashi 1.0 release, both because of these risks and because proper payment URI parsing (ZIP 321) is not yet implemented.
This kind of interception can be prevented by using Universal Links. Universal Links are specific to a domain name, and for an app to register a handler, they must prove that they control the domain name by hosting an apple-app-site-association file containing a list of approved apps.
The drawback to using Universal Links is that payment request URIs would have to be wallet-specific, i.e. the generator of the URI would have to know which wallet the user has installed, in order to use the correct domain name. Alternatively, a trusted party could maintain a list of “approved” wallets and grant them all access to register Universal Link handlers for the same domain name.

Essentially the same issue was previously documented in rationale for ZIP 324. I assess that it is well enough known that this ticket can be public.
@daira daira added the I-SECURITY Problems and improvements related to security. label Mar 1, 2024
@daira daira mentioned this issue Mar 1, 2024
Closed
@daira daira added this to the iOS Zashi 1.0 milestone Mar 1, 2024
LukasKorba added a commit to LukasKorba/secant-ios-wallet that referenced this issue Mar 6, 2024
@LukasKorba
[Electric-Coin-Company#1093] Zashi-iOS audit Issue B
13dbaee 
- The URL scheme has been removed entirely from the project
@LukasKorba LukasKorba mentioned this issue Mar 6, 2024
Merged
15 tasks
@LukasKorba LukasKorba added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. Zashi 1.0 labels Mar 6, 2024
LukasKorba added a commit to LukasKorba/secant-ios-wallet that referenced this issue Mar 8, 2024
@LukasKorba
[Electric-Coin-Company#1093] Zashi-iOS audit Issue B
abb8dce 
- The URL scheme has been removed entirely from the project

[Electric-Coin-Company#1093] Zashi-iOS audit Issue B (Electric-Coin-Company#1105)

- removed from testnet target
LukasKorba added a commit that referenced this issue Mar 8, 2024
@LukasKorba
Merge pull request #1105 from LukasKorba/1093-Zashi-iOS-audit-Issue-B
e8822d2 
[#1093] Zashi-iOS audit Issue B
@true-jared true-jared removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 11, 2024
@daira daira mentioned this issue Apr 12, 2024
Open
@skyl
Copy link

skyl commented May 4, 2024

The user would have to select the malicious app to handle zcash: links?

From what I understand, these attacks should not be practical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
I-SECURITY Problems and improvements related to security. Zashi 1.0
Projects
None yet
Milestone
iOS Zashi 1.0
Development

Successfully merging a pull request may close this issue.

[#1093] Zashi-iOS audit Issue B LukasKorba/secant-ios-wallet
4 participants
@skyl @daira @LukasKorba @true-jared