Known iOS auto-call feature sparks concerns about unintended dialings
Technical oversights on the part of some of the iOS ecosystem's most prominent developers -- including Facebook and Google --?could allow attackers to exploit a documented iOS feature that allows apps to initiate phone calls without a prompt, spurring reminders that iPhone owners should be careful what they tap on.
Romanian developer Andrei Neculaesei discovered that some apps do not properly account for tel: URIs -- which pass a telephone number to the handset's dialer much like a mailto: URI would open the Mail app -- in embedded web views. Because Apple allows app developers to bypass confirmation prompts when calling the dialer from within their apps, a specially-crafted web page could cause users to initiate telephone or FaceTime calls against their will.
Tapping a malicious link from within the official Gmail app could, for example, force users to call an expensive toll number. Other popular apps affected by the oversight include Facebook Messenger and Google+.
While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.
Though it is a relatively low-grade problem, it does serve to remind users that they should exercise caution when opening messages or tapping links from people that they do not know. Malware authors depend almost entirely upon consumers' lack of such basic precautions.
Romanian developer Andrei Neculaesei discovered that some apps do not properly account for tel: URIs -- which pass a telephone number to the handset's dialer much like a mailto: URI would open the Mail app -- in embedded web views. Because Apple allows app developers to bypass confirmation prompts when calling the dialer from within their apps, a specially-crafted web page could cause users to initiate telephone or FaceTime calls against their will.
Tapping a malicious link from within the official Gmail app could, for example, force users to call an expensive toll number. Other popular apps affected by the oversight include Facebook Messenger and Google+.
While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.
Though it is a relatively low-grade problem, it does serve to remind users that they should exercise caution when opening messages or tapping links from people that they do not know. Malware authors depend almost entirely upon consumers' lack of such basic precautions.
Comments
http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/pg10-ios-url-schemes-omg-guillaume-k-ross
http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
Apple will probably need to make a few changes even tho they may not technically be at fault.
How is that not a flaw on Apple's part? Anyone that has done software design knows that if you don't want someone to use your functionality a certain way; then you code to stop it. Whomever wrote that paragraph has never designed software that was used by others.
Easy to fix.
This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
By your logic it would be good if the US and Europe allowed islamic terrorists continued to attack us so everyone would see how evil they are and hate them.
This is welcome news indeed if it happens from Gmail, Facebook Messenger and Google+. Long may it continue!
You have got to be one of the most clueless posters we have ever had on this forum. By your logic it would be good if the US and Europe allowed islamic terrorists continued to attack us so everyone would see how evil they are and hate them.
Your logic is flawed.
I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?
I couldn't care less about the wellbeing of the apps I mentioned; I don't use them. Google deserves everything coming to them, so the more crime that spews forth on their heads, the worse their reputation becomes, which is a good thing. There is no need for anyone to use those apps, so I don't know why you get your panties in such a twist-perhaps you own Google shares?
You just confirmed exactly what I wrote. You obviously don't care how many innocent iOS users get harmed so long as it is not you and it discredits your enemies. Can't you see how not fixing this tarnishes Apple's reputation more than anything else?
We talked about it in detail in this thread: http://forums.appleinsider.com/t/187187
Yes.
I agree, and hopefully it's resolved before iOS 8 is out.
You obviously haven't read the article.
It says that this is due to poor programming on Google and Facebooks' part. It isn't a flaw by Apple.
So no, it doesn't affect Apple's reputation; it diminishes Google's and Facebook's.
It doesn't surprise me in the slightest that Google and Facebook couldn't care less about their apps' users, because their customers are the advertisers; the users are the product.
If you like being a product, more fool you.
So tell us who's app actually makes the call thus causing the harm.
Oh for goodness sake, just read the friggin article.
Yes - read the original article. It's the way Apple wrote the code:
http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
Apple's documentation on the tel scheme is really short and easy to read. While reading the first paragraph something caught my attention:
When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.
Must be something in the water today. Read the article.
Google can rewrite every one of their iOS apps to display a warning even tho iOS doesn't require it. . It won't prevent any other iOS app from "phoning home" (or something more nefarious) without your OK. It will almost certainly have to be an Apple fix.
READ THE SOURCE ARTICLE!