Hi Mohamed,
If I understand what you are doing, I think the issue here is that you are sending sensitive information via an untrusted route (SMS) to an untrusted destination (the user's device) without any protection. This data could be intercepted in any number of ways by an attacker.
If this information is truly sensitive, I think you need to find another way to exchange it... and even then you should consider a determined attacker running trace/debug tools on their device to extract the data from the application. Perhaps look at OAuth flows - maybe device flow?
If this is more of a user experience issue (rather than security issue), perhaps consider passing a token of some kind via SMS and then have the application use this token to call the service to pull down the activation data. That way you're not passing data a user can casually observe. Again, sending this kind of token by SMS is not really a great idea (in my opinion). You need to carefully consider the risk model.
Without knowing the impact of attacker/user getting the information, it's hard to determine risk and therefore suitable mitigations.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue September 22, 2020 06:12 AM
From: mohamed ghonem
Subject: How can secure URL using ISAM
we need to send some data to the user in SMS to use in activating the mobile app so we send URL and some attributes in the URL when the user clicks in the URL the app will open and set these attributes. but we need to secure this URL and hide these attributes because some time the URL open in the browser and data appear in clear text in the URL
------------------------------
mohamed ghonem
------------------------------