Custom URL Schemes vs Deep Links

[cpholguera]

As noticed in https://github.com/OWASP/owasp-mstg/pull/1805/files#r471915771, MSTG-PLATFORM-3 is about Custom URL Schemes, maybe we should consider changing it to Deep Linking since Custom URL Schemes is so to say a subset of Deep Links. At the end we're telling the same story on both platforms: you have custom/unverified and verified links. The recommendation should be to use more of verified links (e.g. App Links on Android, Universal Links on iOS) and always verify the input data. But this shouldn't be restricted to "Custom URL Schemes"

| **6.3** | MSTG-PLATFORM-3 | The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected. | ✓ | ✓ |

should be:

| **6.3** | MSTG-PLATFORM-3 | The app does not export sensitive functionality via deep links of any kind, unless these mechanisms are properly protected. | ✓ | ✓ |

Interpretation:

• does not export sensitive functionality -> it does not trigger sensitive actions (e.g. a bank transfer), does not reveal sensitive information (by sending back some data), etc.
• properly protected -> verified deep linking is used, input parameters are validated, allow/block lists are used, etc.

Next, in theory, this still collides with the following requirement as deep links/custom URL schemes can be considered IPC facilities. An app (including the browser/email apps including links to apps, i.e. deep linking) can trigger actions in other apps via a link with parameters.

| **6.4** | MSTG-PLATFORM-4 | The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected. | ✓ | ✓ |

Interpretation is the same as above. I tend to think that we have 2 options: put all together to this requirement or if not, each IPC mechanism would deserve an own requirement, but that would make everything more complicated to my taste. Keep it simple :)