I know how custom URL scheme works. Basically, I just need to define a custom URL scheme in Info.plist, and handle it like following:

func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {
        // here I only printout
        print("url host: \(String(describing: url.host))")
        print("url path: \(url.path)")

        return true

For example, if I define url as myapp://foo.com/bar , the above function would print out the host as foo.com and path as bar.

My question is, is it overall a secure way of transferring data between two apps saying another app opens the custom URL and use the path to transfer some sensitive information. e.g. myapp://foo.com/sensetive_data . Would the sensitive_data be caught by another app than mine or be leaked?

2 Answers

Zaphod On

In my opinion it is not secure if your sensitive data is not encrypted.

To read your sensitive data I would just have to uninstall your second app, and install my own registering the same scheme than yours to access the data.

So, you may either:

  • encrypt your data (with all the restriction applied to encryption usage)
  • use some kind of a token that can be used to retrieve sensitive data from your server

EDIT: For encryption you can use the Security framework: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/using_keys_for_encryption

Sunil Sharma On

No, It's not safe to share sensitive data in custom URL scheme or Universal link.

It is possible to register two app with same custom URL scheme, at this point action is undefined which app will be open but let's suppose your is uninstalled and the fake app is installed in device then your custom URL scheme will open fake app and data can be easily read by that app.

And in Universal link when your app is not installed then it will open Safari and URL filed will contain full path which can be copied from there.

In my opinion the best way to share sensitive data between two or more app is to use Shared Keychain.

If you develop a family of apps, all of which rely on the same user secret, you can use access groups to securely share that secret among those apps. For example, you can share credentials, so that logging into one of your apps automatically grants the user access to all of your apps. This kind of sharing doesn’t require interaction with or permission from the user, but limits sharing to apps that are delivered by a single development team.