Risk Concern in Deep linking for payments apps, when doing payment via iOS 15 Native Camera QR Scan

Number:rdar://FB9715339 Date Originated:Oct 20, 2021
Status:Open Resolved:Open
Product:UIKit Product Version:iOS15
Classification:Suggestion Reproducible:yes
With Recent Changes in iOS 15 Camera, now User can scan any QR code and select payments apps from Camera itself.
This open the payments app via Deep Linking and delivers the UPI URI as a payload in openURL function.

Inside this function, payments app can't verify that this call is happening via Native camera since Source Application Bundle Identifier is not coming in Options Key. If we allow payment to go through for iOS Camera, it will result in allowing for all 3rd party apps as well  and even messages coming on whatsapp, web browser etc. Some of which can be fraudulent.

I have developed a quick prototype for such a fraudulent app.

Please provide the bundle identifier of native camera at least in this scenario when QR scanning is happening for payments, Or some other way of knowing that this is happening from Native Camera.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!