or Connect
AppleInsider › Forums › Mobile › iPhone › Known iOS auto-call feature sparks concerns about unintended dialings
New Posts  All Forums:Forum Nav:

Known iOS auto-call feature sparks concerns about unintended dialings

post #1 of 54
Thread Starter 
Technical oversights on the part of some of the iOS ecosystem's most prominent developers -- including Facebook and Google --?could allow attackers to exploit a documented iOS feature that allows apps to initiate phone calls without a prompt, spurring reminders that iPhone owners should be careful what they tap on.



Romanian developer Andrei Neculaesei discovered that some apps do not properly account for tel: URIs -- which pass a telephone number to the handset's dialer much like a mailto: URI would open the Mail app -- in embedded web views. Because Apple allows app developers to bypass confirmation prompts when calling the dialer from within their apps, a specially-crafted web page could cause users to initiate telephone or FaceTime calls against their will.

Tapping a malicious link from within the official Gmail app could, for example, force users to call an expensive toll number. Other popular apps affected by the oversight include Facebook Messenger and Google+.

While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.

Though it is a relatively low-grade problem, it does serve to remind users that they should exercise caution when opening messages or tapping links from people that they do not know. Malware authors depend almost entirely upon consumers' lack of such basic precautions.
post #2 of 54
Pretty far-fetched if you ask me. If you receive a strange looking text or e-mail, just ignore it or delete it.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #3 of 54
Seems like a no-brainer under the hood change for Apple to make. The app developers probably won't notice a thing as far as their apps go.

You did not come into the world to fail. You came into the world to succeed.

- Gordon Hinckley

Reply

You did not come into the world to fail. You came into the world to succeed.

- Gordon Hinckley

Reply
post #4 of 54
Potentially affects just about every app with phone number links. there's also other url schemes that could work a bit differently than Apple intended.
http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/pg10-ios-url-schemes-omg-guillaume-k-ross

http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc

Apple will probably need to make a few changes even tho they may not technically be at fault.
Edited by Gatorguy - 8/25/14 at 12:54pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #5 of 54
Quote:
 While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.

 

How is that not a flaw on Apple's part?  Anyone that has done software design knows that if you don't want someone to use your functionality a certain way; then you code to stop it.  Whomever wrote that paragraph has never designed software that was used by others.  

post #6 of 54
Prompt only happens sometimes? Apple's fault.

Easy to fix.
post #7 of 54
Standards are slipping, watch Steve Jobs take on this type of thing.

http://youtu.be/TGLxjppFqeA
post #8 of 54

This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!

"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #9 of 54
Quote:
Originally Posted by Benjamin Frost View Post
 

This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!

By your logic it would be good if the US and Europe allowed islamic terrorists continued to attack us so everyone would see how evil they are and hate them.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #10 of 54
Quote:
Originally Posted by mstone View Post
 
Quote:
Originally Posted by Benjamin Frost View Post
 

This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!

You have got to be one of the most clueless posters we have ever had on this forum. By your logic it would be good if the US and Europe allowed islamic terrorists continued to attack us so everyone would see how evil they are and hate them.

 

Your logic is flawed.

 

I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?

"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #11 of 54
Quote:
Originally Posted by Benjamin Frost View Post

 

I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?

You just confirmed exactly what I wrote. You obviously don't care how many innocent iOS users get harmed so long as it is not you and it discredits your enemies. Can't you see how not fixing this tarnishes Apple's reputation more than anything else?


Edited by mstone - 8/25/14 at 2:23pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #12 of 54
This will likely affect very few if anyone with a malicious attack but it could be done. Remember those phone numbers — before the internet? — that tried to get you to call the Caymen Islands or some such place that looked like they had a US area code but would cost you a lot of money just for connecting? This could be used with any number, not just ones look like a normal phone number simply by clicking the wrong link.

We talked about it in detail in this thread: http://forums.appleinsider.com/t/187187

Quote:
Originally Posted by nagromme View Post

Prompt only happens sometimes? Apple's fault.

Easy to fix.

Yes.

I agree, and hopefully it's resolved before iOS 8 is out.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #13 of 54
Seems like a serious problem
post #14 of 54
Quote:
Originally Posted by mstone View Post

Quote:
Originally Posted by Benjamin Frost View Post

I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?
You just confirmed exactly what I wrote. You obviously don't care how many innocent iOS users get harmed so long as it is not you and it discredits your enemies. Can't you see how not fixing this tarnishes Apple's reputation more than anything else?

You obviously haven't read the article.

It says that this is due to poor programming on Google and Facebooks' part. It isn't a flaw by Apple.

So no, it doesn't affect Apple's reputation; it diminishes Google's and Facebook's.

It doesn't surprise me in the slightest that Google and Facebook couldn't care less about their apps' users, because their customers are the advertisers; the users are the product.

If you like being a product, more fool you.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #15 of 54
Fixed in iOS 8
post #16 of 54
Quote:
Originally Posted by Benjamin Frost View Post
 
It isn't a flaw by Apple. So no, it doesn't affect Apple's reputation; it diminishes Google's and Facebook's.

So tell us who's app actually makes the call thus causing the harm.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #17 of 54
Quote:
Originally Posted by mstone View Post

Quote:
Originally Posted by Benjamin Frost View Post

 
So tell us who's app actually makes the call thus causing the harm.

Oh for goodness sake, just read the friggin article.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #18 of 54
Quote:
Originally Posted by Benjamin Frost View Post

Oh for goodness sake, just read the friggin article.

Yes - read the original article. It's the way Apple wrote the code:

http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
Apple's documentation on the tel scheme is really short and easy to read. While reading the first paragraph something caught my attention:

When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.
post #19 of 54
Quote:
Originally Posted by Benjamin Frost View Post

This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
Perhaps you should do a little more reading and a little less writing until you're up-to-date. This is not something fixable by Google and Facebook.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #20 of 54
Quote:
Originally Posted by Gatorguy View Post

Quote:
Originally Posted by Benjamin Frost View Post

This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
Perhaps you should do a little more reading and a little less writing until you're up-to-date. This is not something fixable by Google and Facebook.

Must be something in the water today. Read the article.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #21 of 54
Quote:
Originally Posted by Benjamin Frost View Post

Must be something in the water today. Read the article.
oh geez. . . I read it before the AI author did.

Google can rewrite every one of their iOS apps to display a warning even tho iOS doesn't require it. . It won't prevent any other iOS app from "phoning home" (or something more nefarious) without your OK. It will almost certainly have to be an Apple fix.

READ THE SOURCE ARTICLE!
Edited by Gatorguy - 8/25/14 at 3:34pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #22 of 54
Can anyone think of a good reason why Apple would design for a native app to call through?

Why would Apple code a feature and document it?

Because It has a purpose and is not a flaw.
post #23 of 54
Quote:
Originally Posted by Wetlander View Post

Can anyone think of a good reason why Apple would design for a native app to call through?

Why would Apple code a feature and document it?

Because It has a purpose and is not a flaw.

Well, now it's a flaw that some sneaky and devious individual may be able to use against iPhone owners. The original intent might have been noble but in practical use. . .
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #24 of 54
Quote:
Originally Posted by runbuh View Post

Yes - read the original article. It's the way Apple wrote the code:

http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
Apple's documentation on the tel scheme is really short and easy to read. While reading the first paragraph something caught my attention:

When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.

If that's a feature then it's flawed thinking.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #25 of 54
Looks like that proof is a jailbroken device to me. Once you remove the lock on the "walled garden" who's fault is it if the thieves get in?

Ok, after reading the link to the article, this is either a jailbroken device, or he's running it in the dev testing mode on a mac. The one thing that cannot be verified is if he actually made a script for the link to click itself or if he actually clicked it. With the way the mouse moves in all of the examples, it looks like a person moved the mouse since it does not move straight to the link and click, it loops under the link and then clicks on it.

No way to be sure.
Edited by HammerofTruth - 8/25/14 at 3:52pm
post #26 of 54
Quote:
Originally Posted by HammerofTruth View Post

Looks like that proof is a jailbroken device to me. Once you remove the lock on the "walled garden" who's fault is it if the thieves get in?

Normally I'd agree with that, but since it is an Apple documented URL behavior, it is probably unrelated to a jailbreak.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #27 of 54

This is something that Apple should fix of course, I just don't think it's as bad as some people are trying to make it. A call will trigger the "calling" screen with a big red button to hang up. It's not like an app can call hundreds of numbers in the background without you noticing it.

 

Meanwhile, any app can send spam email (or do other nefarious stuff that can be done through the internet) behind your back without any visible sign that it's happening.

post #28 of 54
Quote:
Originally Posted by HammerofTruth View Post

No way to be sure.

You can go to that webpage and test it. It is actually doing what it demonstrates.

 

http://box.algorithm.dk/ios/02.html

 

Quote:
 <a id="target" href="tel://0000">click me</a>
<script>
var target = document.getElementById("target");
var fakeEvent = document.createEvent("MouseEvents");
fakeEvent.initEvent("click", true, false);
target.dispatchEvent(fakeEvent);
</script>

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #29 of 54
Quote:
Originally Posted by Gatorguy View Post

Well, now it's a flaw that some sneaky and devious individual may be able to use against iPhone owners. The original intent might have been noble but in practical use. . .

Nice edit...

But you didn't answer my question of purpose? Why would Apple allow sneaky and nefariously devious individuals to do this?

Oh my God! It's for the NSA!
/s

No reply required.
post #30 of 54
Quote:
Originally Posted by Wetlander View Post

Nice edit...

But you didn't answer my question of purpose? Why would Apple allow sneaky and nefariously devious individuals to do this?
.
They didn't realize that it could be abused for purposes Apple did not intend? Now that Apple is aware of it your answer will come by whether they choose to change it. I'll wager they do.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #31 of 54
Quote:
Originally Posted by Gatorguy View Post
 
They didn't realize that it could be abused for purposes Apple did not intend? Now that Apple is aware of it your answer will come by whether they choose to change it.

According to post #14 it has been fixed in iOS 8. They will still need to fix it in all supported OS versions though.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #32 of 54
Quote:
Originally Posted by mstone View Post

According to post #14 it has been fixed in iOS 8. They will still need to fix it in all supported OS versions though.
Thanks! Goes to my point then.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #33 of 54
Messenger is basically spyware. I deleted it. F#ck FB's message service.
post #34 of 54
Quote:
Originally Posted by Gatorguy View Post

Quote:
Originally Posted by Benjamin Frost View Post

Must be something in the water today. Read the article.
oh geez. . . I read it before the AI author did.

Google can rewrite every one of their iOS apps to display a warning even tho iOS doesn't require it. . It won't prevent any other iOS app from "phoning home" (or something more nefarious) without your OK. It will almost certainly have to be an Apple fix.

READ THE SOURCE ARTICLE!

No.

As you seem determined to ignore the article, let me make it simple for you.

Due to poor programming on the part of Google and Facebook, it is possible to automatically dial a number from a link. To save those developers from themselves, it is suggested that Apple will implement an automatic warning message. Google and Facebook could have simply written in the warning message in the first place, but they didn't bother, as they only care about the advertisers, not the users.

Technical oversights on the part of some of the iOS ecosystem's most prominent developers -- including Facebook and Google --?could allow attackers to exploit a documented iOS feature that allows apps to initiate phone calls without a prompt, spurring reminders that iPhone owners should be careful what they tap on.

While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #35 of 54
Quote:
Originally Posted by Gatorguy View Post

They didn't realize that it could be abused for purposes Apple did not intend? Now that Apple is aware of it your answer will come by whether they choose to change it. I'll wager they do.

Of course there are unintended consequences.

Since sneaky and devious individuals may be able to use email links against email users, they are now a flaw...
post #36 of 54
Quote:
Originally Posted by Benjamin Frost View Post

No. . . yada yada

Yes. As hell-bent as you are on being "right" instead of accurate

"While I only tested on a few apps which are big names, it is safe to assume that the smaller teams and platform haven't even thought about preventing this."

No change Google could put in place would have any effect outside of their own apps. Just as I've said (more than once) it's now Apple's "flaw" to fix. MStone was helpful enough to note that Apple is doing just that in iOS 8, an acknowledgement that the URL scheme as written wasn't appropriately done in hindsight. Nice that Apple didn't so stubbornly insist as you do that everything was just fine the way they wrote it don't you think.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #37 of 54
Quote:
Originally Posted by Gatorguy View Post





"While I only tested on a few apps which are big names, it is safe to assume that the smaller teams and platform haven't even thought about preventing this."

This man is casually dismissing small developers as ignorant twits, suggesting that none of them will have deigned to put in a tiny safeguard because the big boys overlooked it.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #38 of 54

Using code seems like a lot of trouble to make the phone dial...  

 

After iOS 8 has wide release I could just put out a radio advert during rush hour/drive time that says, 

 'Hey Siri, dial 1900 xxx-xxx.'  

 

Could probably throw in... 'Ok Google, dial 1900 xxx-xxx' for good measure.

 

That or maybe a late night TV ad for those who leave their phone charging in the living room and fall asleep with the TV running.

 

Ok, so I wouldn't do that.  But how cheeky will it be for a radio DJ on Mother's day to broadcast, 'Hey Siri, call Mom.'  

 

Unfortunately, very unfortunately, Apple may need to have a (non-voice) confirmation for Siri to complete dialing.  :(

 

Yeah, I know. I only have a problem not a solution. 

post #39 of 54
Quote:
Originally Posted by Douglas Bailey View Post

Using code seems like a lot of trouble to make the phone dial...  

After iOS 8 has wide release I could just put out a radio advert during rush hour/drive time that says, 
 'Hey Siri, dial 1900 xxx-xxx.'  

Could probably throw in... 'Ok Google, dial 1900 xxx-xxx' for good measure.

That or maybe a late night TV ad for those who leave their phone charging in the living room and fall asleep with the TV running.

Ok, so I wouldn't do that.  But how cheeky will it be for a radio DJ on Mother's day to broadcast, 'Hey Siri, call Mom.'  

Unfortunately, very unfortunately, Apple may need to have a (non-voice) confirmation for Siri to complete dialing.  1frown.gif

Yeah, I know. I only have a problem not a solution. 

You obviously haven't used Siri, as it isn't possible to activate it by saying, "Hey, Siri."

You've been watching too many Glasshole videos.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #40 of 54

Benjamin, you haven't checked your facts;

 

I said iOS 8 and I gave examples of two situations where many users would have their phone plugged in to power.  

 

Granted, in the car situation I didn't explicitly state that the car driver would have their phone plugged in but those who know of the feature can draw that conclusion. 

 

iOS 8 : Settings > General > Siri > Voice Activation: 'You can speak to Siri without pressing the home button by saying, "Hey Siri" when connected to power.

 

Edit: Benjamin, YOU know of this feature already. You commented on the AppleInsider article that talks of this feature: 

http://appleinsider.com/articles/14/06/03/new-settings-in-ios-8-auto-delete-texts-camera-privacy-controls-hey-siri-voice-activation

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Known iOS auto-call feature sparks concerns about unintended dialings