The Register® — Biting the hand that feeds IT

Feeds

iPhones make calls without permission, researcher warns

Easier to beg for forgiveness...

By Dan Goodin, 10th November 2010
  • print
  • alert

Apple's iOS is vulnerable to web-based attacks that force third-party apps to make phone calls and carry out other sensitive operations without first warning the user, a security researcher has warned.

Researcher Nitesh Dhanjani shows here how the planting of a simple iframe on a webpage can force the Safari browser to open Skype and dial a phone number or send a message to another Skype user. As long as Skype is installed and it stores the victim's account password, the attack will work with no warning, he wrote.

Websites could use similar techniques to force a variety of third-party iOS apps, some of which are listed here, to also carry out potentially unwanted actions without first warning the user, Dhanjani warned.

He said members of Apple's security team told him the onus is on third-party app developers to make their programs ask for permission before carrying out such actions. That didn't sit well with him.

“I feel the risk posed by how URL Schemes are handled in iOS is significant because it allows external sources to launch applications without user interaction and perform registered transactions,” Dhanjani wrote.

“Third party developers, including developers who create custom applications for enterprise use, need to realize their URL handlers can be invoked by a user landing upon a malicious website and not assume that the user authorized it. Apple also needs to step up and allow the registration of URL Schemes that can instruct Safari to throw an authorization request prior to yanking the user away into the application.”

When Dhanjani contacted Skype, he got no response. But even if the VoIP provider updated its app to seek user permission before making calls and sending messages, Dhanjani still isn't sure users would be best served.

“Third party applications can only ask for authorization after the user has already been yanked out of Safari,” he explained. “A rogue website, or a website whose client code may have been compromised by a persistent XSS, can yank the user out of the Safari browser. Since application on iOS run in full-screen mode, this can be an annoying and jarring experience for the user.”

Indeed, Safari asks for permission when encountering the tel scheme, which invokes the iPhone's default phone. But for reasons that remain unexplained Safari doesn't apply the same treatment when third-party schemes are invoked. ®

COMMENTS

House Rules Send Corrections
All Reader Comments (29)
Highly Rated
JaitcH

Yet another undocumented Lemon 5 feature revealed. I am running out of fingers counting!

Increasingly people must question Apple's poor code verification as well as what they laughingly call :quality control".

Some of the faults should have been caught before Lemon 4 hit the stores. The pressure to deliver must have been great but as Ford proudly boasts: "Quality is Job 1".

Jobs' attitude that he and Apple are better than anyone (sic) invites criticism. If Jobs' spent less time sticking his prowess in the face of others, he might garner some sympathy.

He can spend untold hours fruitlessly (no pun intended) locking up his little toy but what's the point if it's so dysfunctional? The 'free calling' when locked and remote web site calling are major flaws that should have been caught months ago.

Even iPhans patience has limits, it's reaching the point of abuse now.

9
1
Anonymous Coward

Please....

Can we have a no-iPhone/Pad/Pod-news-week on El Reg?

9
1
The Fuzzy Wotnot

Oh, get knotted Jobs!

"Apple's security team told him the onus is on third-party app developers to make their programs ask for permission before carrying out such actions"

You sold/passed the app through the wonderful Jobsian application filter that is supposed to weed out crud like this.

You passed it on, you carry the can Jobs!

7
1
Jimmy Floyd

Steve's world; Steve's rules

"...Apple's security team told him the onus is on third-party app developers..."

I was under the impression the onus is never on third-party app developers? If Apple runs a restricted shop then Apple must take responsibility for all of it, not just the good bits.

6
0
Mike Flugennock

Huh, wow...

...it's starting to look like like smartphones are the new dumbphones.

And, what's this business about being "yanked out" of Safari?

Yanked out? Jerked off, more like.

Thanks, you've been wonderful. I'm here all week.

8
2

More from The Register

Android is a mess and needs sprucing up, admits chief
Can Google really fix it? It isn't in control any more
151
New Lumia 925: This, loyalists, is the BIG ONE you've waited for
Nokia veep drills high-end master plan for El Reg
91
Android device? Ooohhhh, you mean a Samsung phone
Koreans nabbed nearly all the Q1 profits – more even than Google
68
Review: HP Pavilion 14 Chromebook
All roads lead to Chrome?
44
NYC attorney seeks mobe-makers' help to curb muggings
'Why no remote killswitch?'
29
Borked your iDevice? Pay EVEN MORE to have it fixed by Applecare
Or scream at their hapless techies on their forums
29
Euro PC shipments plummet into bottomless pit of DOOOOM
11th quarter of decline, 20pc drop on last year - Gartner
41
Mystery Sony big-screen ereader to sport E Ink bender
Liable to be pliable, folks
25
Top guns doomed as US Navy demos first carrier-launched drone
Killer robot takes to the skies
65
Report: AT&T dropping Facebook phone after dismal sales
Turns out folks won't buy that for a dollar
20