Risk Concern in Deep linking for payments apps, when doing payment via iOS 15 Native Camera QR Scan
Originator: | abhirathore | ||
Number: | rdar://FB9715339 | Date Originated: | Oct 20, 2021 |
Status: | Open | Resolved: | Open |
Product: | UIKit | Product Version: | iOS15 |
Classification: | Suggestion | Reproducible: | yes |
With Recent Changes in iOS 15 Camera, now User can scan any QR code and select payments apps from Camera itself. This open the payments app via Deep Linking and delivers the UPI URI as a payload in openURL function. Inside this function, payments app can't verify that this call is happening via Native camera since Source Application Bundle Identifier is not coming in Options Key. If we allow payment to go through for iOS Camera, it will result in allowing for all 3rd party apps as well and even messages coming on whatsapp, web browser etc. Some of which can be fraudulent. I have developed a quick prototype for such a fraudulent app. Please provide the bundle identifier of native camera at least in this scenario when QR scanning is happening for payments, Or some other way of knowing that this is happening from Native Camera.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!