Feeds

iPhones make calls without permission, researcher warns

Easier to beg for forgiveness...

Gartner critical capabilities for enterprise endpoint backup

Apple's iOS is vulnerable to web-based attacks that force third-party apps to make phone calls and carry out other sensitive operations without first warning the user, a security researcher has warned.

Researcher Nitesh Dhanjani shows here how the planting of a simple iframe on a webpage can force the Safari browser to open Skype and dial a phone number or send a message to another Skype user. As long as Skype is installed and it stores the victim's account password, the attack will work with no warning, he wrote.

Websites could use similar techniques to force a variety of third-party iOS apps, some of which are listed here, to also carry out potentially unwanted actions without first warning the user, Dhanjani warned.

He said members of Apple's security team told him the onus is on third-party app developers to make their programs ask for permission before carrying out such actions. That didn't sit well with him.

“I feel the risk posed by how URL Schemes are handled in iOS is significant because it allows external sources to launch applications without user interaction and perform registered transactions,” Dhanjani wrote.

“Third party developers, including developers who create custom applications for enterprise use, need to realize their URL handlers can be invoked by a user landing upon a malicious website and not assume that the user authorized it. Apple also needs to step up and allow the registration of URL Schemes that can instruct Safari to throw an authorization request prior to yanking the user away into the application.”

When Dhanjani contacted Skype, he got no response. But even if the VoIP provider updated its app to seek user permission before making calls and sending messages, Dhanjani still isn't sure users would be best served.

“Third party applications can only ask for authorization after the user has already been yanked out of Safari,” he explained. “A rogue website, or a website whose client code may have been compromised by a persistent XSS, can yank the user out of the Safari browser. Since application on iOS run in full-screen mode, this can be an annoying and jarring experience for the user.”

Indeed, Safari asks for permission when encountering the tel scheme, which invokes the iPhone's default phone. But for reasons that remain unexplained Safari doesn't apply the same treatment when third-party schemes are invoked. ®

Boost IT visibility and business value

More from The Register

next story
Apple takes blade to 13-inch MacBook Pro with Retina display
Shaves price, not screen on mid-2014 model
iPhone 6 flip tip slips in Aussie's clip: Apple's 'reversible USB' leaks
New plug not compatible with official Type-C, according to fresh rumors
FEAST YOUR EYES: Samsung's Galaxy Alpha has an 'entirely new appearance'
Wow, it looks like nothing else on the market, for sure
YES YES YES! Apple patents mousy, pressure-sensing iVibrator
Fanbois prepare to experience the great Cupertin-O
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
Steve Jobs had BETTER BALLS than Atari, says Apple mouse designer
Xerox? Pff, not even in the same league as His Jobsiness
TV transport tech, part 1: From server to sofa at the touch of a button
You won't believe how much goes into today's telly tech
Apple analyst: fruity firm set to shift 75 million iPhones
We'll have some of whatever he's having please
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.