Feeds

iPhones make calls without permission, researcher warns

Easier to beg for forgiveness...

Business security measures using SSL

Apple's iOS is vulnerable to web-based attacks that force third-party apps to make phone calls and carry out other sensitive operations without first warning the user, a security researcher has warned.

Researcher Nitesh Dhanjani shows here how the planting of a simple iframe on a webpage can force the Safari browser to open Skype and dial a phone number or send a message to another Skype user. As long as Skype is installed and it stores the victim's account password, the attack will work with no warning, he wrote.

Websites could use similar techniques to force a variety of third-party iOS apps, some of which are listed here, to also carry out potentially unwanted actions without first warning the user, Dhanjani warned.

He said members of Apple's security team told him the onus is on third-party app developers to make their programs ask for permission before carrying out such actions. That didn't sit well with him.

“I feel the risk posed by how URL Schemes are handled in iOS is significant because it allows external sources to launch applications without user interaction and perform registered transactions,” Dhanjani wrote.

“Third party developers, including developers who create custom applications for enterprise use, need to realize their URL handlers can be invoked by a user landing upon a malicious website and not assume that the user authorized it. Apple also needs to step up and allow the registration of URL Schemes that can instruct Safari to throw an authorization request prior to yanking the user away into the application.”

When Dhanjani contacted Skype, he got no response. But even if the VoIP provider updated its app to seek user permission before making calls and sending messages, Dhanjani still isn't sure users would be best served.

“Third party applications can only ask for authorization after the user has already been yanked out of Safari,” he explained. “A rogue website, or a website whose client code may have been compromised by a persistent XSS, can yank the user out of the Safari browser. Since application on iOS run in full-screen mode, this can be an annoying and jarring experience for the user.”

Indeed, Safari asks for permission when encountering the tel scheme, which invokes the iPhone's default phone. But for reasons that remain unexplained Safari doesn't apply the same treatment when third-party schemes are invoked. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Man buys iPHONE 6 and DROPS IT to SMASH on PURPOSE
Yarrrgh! 'Tis Antipodean insanity, ye crazy swab
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it's secure
State attorney demands Apple CEO bows the knee to him
4K-ing excellent TV is on its way ... in its own sweet time, natch
For decades Hollywood actually binned its 4K files. Doh!
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Monitors monitor's monitoring finds touch screens have 0.4% market share
Not four. Point four. Count yer booty again, Microsoft
Your chance to WIN the WORLD'S ONLY HANDHELD ZX SPECTRUM
Reg staff not allowed to enter, god dammit
DARPA-backed jetpack prototype built to make soldiers run faster
4 Minute Mile project hatched to speed up tired troops
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.