iOS apps can make calls without asking you first

JC Torres - Aug 25, 2014, 4:15am CDT
iOS apps can make calls without asking you first

Users are known to ignore a few warnings, skip a few steps, and other sometimes cringe-worthy actions for the sake of convenience. However, that isn’t an excuse for app developers to ignore common sense (which, apparently, isn’t really that common) just to provide users that convenience. Unfortunately, that might be the case on iOS, where several popular apps have allegedly skimmed over Apple‘s developer documentation, leaving users vulnerable to, in the worst case scenario, making an automatic phone call to a premium-rate phone number.

The issue revolves around the “tel” URI (Uniform Resource Identifier), a standard that helps operating systems, servers, and apps determine what to do with certain types of links. For example “http” would open a web browser, “mailto” would start the mail app, and “tel” would indicate a phone number to be called. In this case, iOS implements two different behaviors for a “tel” link depending on where it is coming from. In a web page, like in Safari, when a user clicks a link, he or she will be prompted whether they want the number to be called. However, in a native app, like Facebook Messanger or Google+, no such warning is given and the number it automatically called.

“When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user. However, a native app can be configured to display its own alert.”

That might be a strange setup, but it might have been a design made for the sake of convenience. Unfortunately, things don’t stop there. Users are more often than not notorious for clicking links left and right. But developer Andrei Neculaesei, who wrote about the issue on his blog, was able to easily exploit this behavior through the simple use of Javascript. All that was needed was to have the user view a web page and the “tel” link would click itself, no further user interaction needed. Neculaesei says that this could be used to get the user’s phone to dial a premium-rate phone which automatically answers on the first ring even before the user has a chance to cancel the money-sucking call.

Who’s to blame in this case? At first, one might easily point the finger at Apple for providing such functionality, and perhaps they might bear a bit of the culpability too. However, Apple’s documentation clearly states the behavior as well as the option for apps to enable their own warning system. Unfortunately, the added work might have discouraged developers from doing so. One thing that Apple can be held responsible for is making such a lax security feature be the default behavior for native apps.

That said, Apple’s own iOS apps are safe from the issue. Unfortunately, many of the popular apps like Facebook and Google+, which are just the tip of the iceberg, exhibit the behavior. Who knows how many more third-party apps, especially the most used ones, are vulnerable to abuse. Hopefully now that the cat is out of the bag, app developers will audit their own code and implement the necessary checks to prevent users from losing money, even if they do click on that innocent-looking link.

SOURCE: Andrei Neculaesei, PCWorld

Must Read Bits & Bytes