back to article iOS phone phlaw can UNMASK anonymous users on social media

Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say. Attackers and pranksters can force iOS coding schemes to send an SMS or an instant …

  1. The Mole
    FAIL

    This seems to be a bog standard variation of cross site scripting and not trusting your input from Apple. It's basic security that operations that could potentially cost money should be authorized and that you can't trust the calling app to do so. Never mind privacy I'm off to setup a few premium rate phone numbers to force apple users into calling...

    1. Byz

      Well you'll have to write a native app first :)

      Do you want to sign up for some training courses?

      then you have to decide if you want to do it in Objective-C or Swift

      :D

      1. Raumkraut

        > Well you'll have to write a native app first :)

        Except the entire point of the article, if I understood correctly, is that an attacker doesn't need a native app of their own, they only need a website, and users to access said site with a non-Safari app which uses a web view (I imagine a lot of "native" wrapped-HTML5 apps do this).

        1. Byz

          We'll you read wrong

          It is quite clear that the leak is through third party apps like chrome.

          Do you actually program iOS apps?

          Or is are you just holding your finger in the air and seeing which way you think the wind is blowing?

          You can only use a web view via a native app, and then fire off the URL as an action from the webview.

          Google is blaming Apple here for an app that it wrote, whereas safari (written by apple) doesn't have this issue (yet uses the same web view). QED Google has written there app to the same standard as usual which is as water tight as sieve !!!

          1. VinceH Silver badge

            "Google is blaming Apple here for an app that it wrote, whereas safari (written by apple) doesn't have this issue (yet uses the same web view). QED Google has written there app to the same standard as usual which is as water tight as sieve !!!"

            WTF?

            If the platform itself doesn't prevent this, then the platform itself - and therefore its provider/developer - is at fault. That's iOs, and therefore Apple.

  2. RyokuMas Silver badge
    Holmes

    There's no such thing as a secure platform...

    Anything can be broken into - it's just whether or not the effort of doing so is justified by the potential returns.

    1. Toothpick

      Re: There's no such thing as a secure platform...

      Not sure why you have been down voted here. Very sensible comment. Have an up vote

      1. Byz

        Re: There's no such thing as a secure platform...

        Indeed a very good comment.

        If you have a Turing complete programming language (and both Objective-C and Swift are Turing Complete) there is always a way to subvert the system. The problems get caught in the testing.

      2. Roo
        Windows

        Re: There's no such thing as a secure platform...

        "Not sure why you have been down voted here. Very sensible comment. Have an up vote"

        I can't speak for the down voter but that comment stated the bleeding obvious. The fact remains that Apple have made iOS remotely exploitable by design. It's a web security 101 level of screw up, the good news is that it should be trivial to fix in iOS, the bad news is that folks are asking apps to fix it instead because they don't want to face the idea that Apple might have screwed the security pooch.

        1. Roo
          Windows

          Re: There's no such thing as a secure platform...

          "Apple might have screwed the security pooch."

          Nice to see some upvotes shielding the bearer of bad tidings. Thank you. :)

        2. AndyDent

          Re: There's no such thing as a secure platform...

          "remotely exploitable by design" - I'm not sure I agree in this case.

          As stated in a previous comment, a web view does NOT automatically follow links (that would be a flaw on Apple's part). The problem is the applications that contain the web views which have followed a bad practice. Apple could be blamed for not making it clearer that this is a bad idea.

          This has already been thrashed out in other forums, as said there:

          "

          The article is misleading, if you do nothing your webview won't open any phone call. You have to implement a specific method to intercept links and explicitly open them in the device.

          see `

          - (BOOL)webView:(UIWebView )webView shouldStartLoadWithRequest:(NSURLRequest )request navigationType:(UIWebViewNavigationType)navigationType` method in official UIWebViewDelegate reference

          "

  3. Anonymoist Cowyard
    FAIL

    Apple - The Toxic Hellstew Of Vunerabilities

    Yesterday iCloud, today Facetime.

    Not so smug now huh? Giving your users a false sense of security (and a false sense of superiority) is never a good idea, and will always backfire.

    1. ItsNotMe
      Happy

      Re: Apple - The Toxic Hellstew Of Vunerabilities

      Yesterday iCloud, today Facetime & Find My Phone.

      There...fixed it for you.

      http://www.dailymail.co.uk/sciencetech/article-2739764/Did-iClouds-Find-My-iPhone-function-help-hackers-steal-celebrities-nude-photos-Flaw-exposed-hundreds-images.html

  4. Byz

    Nothing new

    'The document also explains that something called the "tel URL scheme is used to launch the Phone app on iOS devices and initiate dialing of the specified phone number."'

    This has been there for years all the way back from iOS 2

    I have written apps that open maps and then find a route or make phone calls and they have never prompted, however my apps have to go via the App Store so are screened first (obviously this is as good as the screening), also if Apple discover you are doing something not allowed they take down the app.

    If you jailbreak your phone and download an app from another source you on your own and where these native apps are likely to be lurking.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nothing new

      On Android, firstly before you install the app (either sideloaded or from the play store) it will tell you that the app can use services that cost you money (calls, texts etc).

      Then when you click through a link that it detects as a phone number the dialler will open with the number showing (if you have multiple diallers registered it will let you choose which one to use - e.g. a SIP dialler or the default phone dialler). You can then dismiss it or click dial to call it.

      1. heyrick Silver badge

        Re: Nothing new

        ...but if you don't have multiple dialers, it'll just go right ahead and place the call. Indeed there was a "pl

        problem" not so long ago with specially crafted numbers.

  5. Anonymous Coward
    Anonymous Coward

    It wouldn't exactly be rocket science for an app to predeclare which URL schemes it intends to use. The app store and user preferences could document that, and iOS could enforce it.

  6. Doctor_Wibble

    History Repeating Again

    For a moment I thought we had slipped back a decade or two - clicking on something starts up a rogue dialler without warning you? Wow, not seen that before. Much.

    It's far back enough that I can't remember if I first saw these on Win95 or 98.

    Simple answer : don't use a mobile device for *anything* that's supposed to stay private.

    Simple question : who are you trusting when you use these things?

  7. Anonymous Coward
    Anonymous Coward

    Hey you have to remember this is iOS it just works, if a user clicks something bad... they are probably clicking it wrong..!

    1. Slap

      Nah, if you click something bad on iOS it still just works, and precisely as it was intended.

  8. Moosh
    FAIL

    Not a very good day for Apple is it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019