Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Known iOS auto-call feature sparks concerns about unintended dialings

Technical oversights on the part of some of the iOS ecosystem's most prominent developers — including Facebook and Google —  could allow attackers to exploit a documented iOS feature that allows apps to initiate phone calls without a prompt, spurring reminders that iPhone owners should be careful what they tap on.

Romanian developer Andrei Neculaesei discovered that some apps do not properly account for tel: URIs — which pass a telephone number to the handset's dialer much like a mailto: URI would open the Mail app — in embedded web views. Because Apple allows app developers to bypass confirmation prompts when calling the dialer from within their apps, a specially-crafted web page could cause users to initiate telephone or FaceTime calls against their will.

Tapping a malicious link from within the official Gmail app could, for example, force users to call an expensive toll number. Other popular apps affected by the oversight include Facebook Messenger and Google+.

While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.

Though it is a relatively low-grade problem, it does serve to remind users that they should exercise caution when opening messages or tapping links from people that they do not know. Malware authors depend almost entirely upon consumers' lack of such basic precautions.



66 Comments

🌟
SpamSandwich 19 Years · 32917 comments

Pretty far-fetched if you ask me. If you receive a strange looking text or e-mail, just ignore it or delete it.

🌟
jinglesthula 14 Years · 239 comments

Seems like a no-brainer under the hood change for Apple to make. The app developers probably won't notice a thing as far as their apps go.

🎅
gatorguy 13 Years · 24633 comments

Potentially affects just about every app with phone number links. there's also other url schemes that could work a bit differently than Apple intended. http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/pg10-ios-url-schemes-omg-guillaume-k-ross http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc Apple will probably need to make a few changes even tho they may not technically be at fault.

🎄
ex iphone owner 12 Years · 58 comments

Quote:
 While the issue does not represent a flaw on Apple's part, it seems likely that the company will implement changes to save developers from themselves, perhaps by altering the default behavior of such links to draw a confirmation prompt as they do when tapped in mobile Safari.

 

How is that not a flaw on Apple's part?  Anyone that has done software design knows that if you don't want someone to use your functionality a certain way; then you code to stop it.  Whomever wrote that paragraph has never designed software that was used by others.  

🕯️
nagromme 22 Years · 2831 comments

Prompt only happens sometimes? Apple's fault. Easy to fix.