Known iOS auto-call feature sparks concerns about unintended dialings

Posted:
in iPhone edited August 2014
Technical oversights on the part of some of the iOS ecosystem's most prominent developers -- including Facebook and Google --?could allow attackers to exploit a documented iOS feature that allows apps to initiate phone calls without a prompt, spurring reminders that iPhone owners should be careful what they tap on.



Romanian developer Andrei Neculaesei discovered that some apps do not properly account for tel: URIs -- which pass a telephone number to the handset's dialer much like a mailto: URI would open the Mail app -- in embedded web views. Because Apple allows app developers to bypass confirmation prompts when calling the dialer from within their apps, a specially-crafted web page could cause users to initiate telephone or FaceTime calls against their will.

Tapping a malicious link from within the official Gmail app could, for example, force users to call an expensive toll number. Other popular apps affected by the oversight include Facebook Messenger and Google+.

While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.

Though it is a relatively low-grade problem, it does serve to remind users that they should exercise caution when opening messages or tapping links from people that they do not know. Malware authors depend almost entirely upon consumers' lack of such basic precautions.
«134

Comments

  • Reply 1 of 66
    SpamSandwichSpamSandwich Posts: 33,408member
    Pretty far-fetched if you ask me. If you receive a strange looking text or e-mail, just ignore it or delete it.
  • Reply 2 of 66
    Seems like a no-brainer under the hood change for Apple to make. The app developers probably won't notice a thing as far as their apps go.
  • Reply 3 of 66
    gatorguygatorguy Posts: 23,164member
    Potentially affects just about every app with phone number links. there's also other url schemes that could work a bit differently than Apple intended.
    http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/pg10-ios-url-schemes-omg-guillaume-k-ross

    http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc

    Apple will probably need to make a few changes even tho they may not technically be at fault.
  • Reply 4 of 66
    Quote:


     While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.


     

    How is that not a flaw on Apple's part?  Anyone that has done software design knows that if you don't want someone to use your functionality a certain way; then you code to stop it.  Whomever wrote that paragraph has never designed software that was used by others.  

  • Reply 5 of 66
    nagrommenagromme Posts: 2,834member
    Prompt only happens sometimes? Apple's fault.

    Easy to fix.
  • Reply 6 of 66
    Standards are slipping, watch Steve Jobs take on this type of thing.

  • Reply 7 of 66

    This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!

  • Reply 8 of 66
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Benjamin Frost View Post

     

    This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!


    By your logic it would be good if the US and Europe allowed islamic terrorists continued to attack us so everyone would see how evil they are and hate them.

  • Reply 9 of 66
    Quote:

    Originally Posted by mstone View Post

     
    Quote:
    Originally Posted by Benjamin Frost View Post

     

    This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!


    You have got to be one of the most clueless posters we have ever had on this forum. By your logic it would be good if the US and Europe allowed islamic terrorists continued to attack us so everyone would see how evil they are and hate them.


     

    Your logic is flawed.

     

    I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?

  • Reply 10 of 66
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Benjamin Frost View Post

     

    I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?


    You just confirmed exactly what I wrote. You obviously don't care how many innocent iOS users get harmed so long as it is not you and it discredits your enemies. Can't you see how not fixing this tarnishes Apple's reputation more than anything else?

  • Reply 11 of 66
    solipsismxsolipsismx Posts: 19,566member
    This will likely affect very few if anyone with a malicious attack but it could be done. Remember those phone numbers — before the internet? — that tried to get you to call the Caymen Islands or some such place that looked like they had a US area code but would cost you a lot of money just for connecting? This could be used with any number, not just ones look like a normal phone number simply by clicking the wrong link.

    We talked about it in detail in this thread: http://forums.appleinsider.com/t/187187

    nagromme wrote: »
    Prompt only happens sometimes? Apple's fault.

    Easy to fix.

    Yes.

    I agree, and hopefully it's resolved before iOS 8 is out.
  • Reply 12 of 66
    Seems like a serious problem
  • Reply 13 of 66
    mstone wrote: »
    I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?
    You just confirmed exactly what I wrote. You obviously don't care how many innocent iOS users get harmed so long as it is not you and it discredits your enemies. Can't you see how not fixing this tarnishes Apple's reputation more than anything else?

    You obviously haven't read the article.

    It says that this is due to poor programming on Google and Facebooks' part. It isn't a flaw by Apple.

    So no, it doesn't affect Apple's reputation; it diminishes Google's and Facebook's.

    It doesn't surprise me in the slightest that Google and Facebook couldn't care less about their apps' users, because their customers are the advertisers; the users are the product.

    If you like being a product, more fool you.
  • Reply 14 of 66
    Fixed in iOS 8
  • Reply 15 of 66
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Benjamin Frost View Post

     
    It isn't a flaw by Apple. So no, it doesn't affect Apple's reputation; it diminishes Google's and Facebook's.


    So tell us who's app actually makes the call thus causing the harm.

  • Reply 16 of 66
    mstone wrote: »
     
    [CONTENTEMBED=/t/181966/known-ios-auto-call-feature-sparks-concerns-about-unintended-dialings/0_100#post_2584245 layout=inline]It isn't a flaw by Apple. <span style="line-height:1.4em;">So no, it doesn't affect Apple's reputation; it diminishes Google's and Facebook's.</span>
    [/CONTENTEMBED]
    So tell us who's app actually makes the call thus causing the harm.

    Oh for goodness sake, just read the friggin article.
  • Reply 17 of 66
    runbuhrunbuh Posts: 315member
    Oh for goodness sake, just read the friggin article.

    Yes - read the original article. It's the way Apple wrote the code:

    http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
    Apple's documentation on the tel scheme is really short and easy to read. While reading the first paragraph something caught my attention:

    When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.
  • Reply 18 of 66
    gatorguygatorguy Posts: 23,164member
    This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
    Perhaps you should do a little more reading and a little less writing until you're up-to-date. This is not something fixable by Google and Facebook.
  • Reply 19 of 66
    gatorguy wrote: »
    This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
    Perhaps you should do a little more reading and a little less writing until you're up-to-date. This is not something fixable by Google and Facebook.

    Must be something in the water today. Read the article.
  • Reply 20 of 66
    gatorguygatorguy Posts: 23,164member
    Must be something in the water today. Read the article.
    oh geez. . . I read it before the AI author did.

    Google can rewrite every one of their iOS apps to display a warning even tho iOS doesn't require it. . It won't prevent any other iOS app from "phoning home" (or something more nefarious) without your OK. It will almost certainly have to be an Apple fix.

    READ THE SOURCE ARTICLE!
Sign In or Register to comment.