locked
URI scheme verification

    Question

  • Hi, 

    I am developing applications which will call each other using the URI scheme mechanism. 

    I would like to find out which application called my application. 

    Is there any way to implement it in a Metro environment? 

    Thanks in advance!


    ynahmany

    Monday, May 12, 2014 6:05 AM

Answers

  • You can pass arguments in URI (protocol activation) which can represent source application. This is similar to mailto protocol activation.

    Refer following links for help

    In case you still have problem, please post a working code that shows how far you have done it and what exactly your issue is.


    -- Vishal Kaushik --

    Please 'Mark as Answer' if my post answers your question and 'Vote as Helpful' if it helps you. Happy Coding!!!

    Monday, May 12, 2014 7:51 AM
  • It is not possible to tell who launched the URI.

    You have to treat the URI launch as untrusted data.

    --Rob

     
    Monday, May 12, 2014 12:43 PM
    Owner
  • You could add a checksum in the URI that changes over time - so the caller would have to know how to generate the checksum (like a HMAC256, for example) in order to be validated.  For example, instead of:

    App://command

    Send:

    App://command/0234412a232134b1123c

    The checksum could be the current time/date of the phone, or some server state like a checksum of a webpage, rss feed, etc.  It could be a simple checksum of the Uri itself.

    However, anyone that disassembles your apps code automatically knows how to use this, so look into obfuscation.


    Darin R.

    Monday, May 12, 2014 1:34 PM

All replies

  • You can pass arguments in URI (protocol activation) which can represent source application. This is similar to mailto protocol activation.

    Refer following links for help

    In case you still have problem, please post a working code that shows how far you have done it and what exactly your issue is.


    -- Vishal Kaushik --

    Please 'Mark as Answer' if my post answers your question and 'Vote as Helpful' if it helps you. Happy Coding!!!

    Monday, May 12, 2014 7:51 AM
  • Hi, 

    First, thanks for the quick response. 

    Second, I want to protect my application from attackers, assuming the attacker knows the URI scheme I am using he could then pass the same URI to my application. If I will add another parameter the attack vector will not be changed. 

    I am looking for a way to verify the application signature or developer- that way I could cross-reference it. 

    Any idea? 


    ynahmany

    Monday, May 12, 2014 8:17 AM
  • It is not possible to tell who launched the URI.

    You have to treat the URI launch as untrusted data.

    --Rob

     
    Monday, May 12, 2014 12:43 PM
    Owner
  • You could add a checksum in the URI that changes over time - so the caller would have to know how to generate the checksum (like a HMAC256, for example) in order to be validated.  For example, instead of:

    App://command

    Send:

    App://command/0234412a232134b1123c

    The checksum could be the current time/date of the phone, or some server state like a checksum of a webpage, rss feed, etc.  It could be a simple checksum of the Uri itself.

    However, anyone that disassembles your apps code automatically knows how to use this, so look into obfuscation.


    Darin R.

    Monday, May 12, 2014 1:34 PM