Web sites can launch iPhone applications without prompting

Specially crafted web sites can launch iPhone and iPod Touch apps without the Safari browser asking the user for permission when certain URL protocol handlers (URL schemes) are called. For instance, according to security researcher Nitesh Dhanjani, a web site can use the iFrame <iframe src=”skype://14085555555?call"></iframe> to launch a Skype app and automatically call a number – provided that the user has saved Skype access data. Criminals would also be able to play around with a number of other applications. For a list of the protocols currently used in the iPhone, see the URL scheme index.

Dhanjani says that iOS devices apparently do not check in with protocol handlers registered by third-party apps added to the iPhone after purchase. If a web site calls one of the URI schemes registered by default in the iPhone, such as tel:1-408-555-5555, for the internal telephone app, Safari and / or the iOS displays a dialogue asking whether the user would like to make the call.

Dhanjani says that when he contacted Apple, Apple said that authorisation for certain activities is the responsibility of the app itself. In other words, the app's developers have to implement authorisation to call a specific URI. But Dhanjani says that will be hard to do because the apps can also be launched outside of Safari after the decisive point when permission would need to be granted. Dhanjani therefore says that there should be a way of indicating whether Safari opens a prompt window when a URL protocol handler is registered. Furthermore, he says Apple needs to pay more attention to potential abuse when reviewing app security.

(crve)