Apple iOS URL Handling Flaw Uncovered

A security researcher has uncovered a flaw in the way Apple's iOS mobile operating system handles URL schemes.

Security researcher Nitesh Dhanjani wrote on the SANS Application Security Street Fighter blog that the Safari web browser in iOS can initiate third party applications using URL schemes or URL Protocol Handlers.

Apple has registered some URL schemes to initiate other relevant applications if the HTML code on a website contains a particular scheme, he explained.

He gave the example - when Safari encounters a URL Scheme on a website's HTML code that says "", iOS launches the phone's dialler but does so after asking for user's permission.

However, Dhanjani found that if Safari encounters a URL Scheme pertaining to VoIP service Skype and the user has Skype installed on the device and has used it only recently, the browser automatically allows Skype to initiate a call without asking the user for permission.

“The security implications of this is obvious, including the additional abuse case where a malicious site can make Skype.app call a Skype-id who can then uncloak the victimʼs identity (by analysing the victimʼs Skype-id from the incoming call),” he wrote.

Both Skype and Apple have failed to acknowledge the issue, he said.