CWE-939

Improper Authorization in Handler for Custom URL Scheme

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

Mitigation

Phase: Architecture and Design

Description:

  • Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information.
  • When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page