iOS4 URL handling lets iPhone Apps phone home

A 'security researcher' has unearthed a worrying security hole in the way Apple's iOS4 mobile operating system handles URL schemes.

The theoretical example described by Nitesh Dhanjani suggests that a malicious website could be crafted which would cause Safari to open Skype and initiate a call without user permission.

Not only could this rack up huge bills if you have Skype calling credits, but Dhanjani is concerned that a victim's identity could be uncloaked by analysing the Skype ID from the incoming call.

Dhanjani says he has contacted both Apple and Skype about his discovery but has yet to receive a reply.

Apple will of course insist that third-party developers are responsible for making sure their Apps do not allow rogue URL schemes to be used for nefarious purposes, but Dhanjani asks whether the Cupertino should be auditing the the security implications of registered URL schemes as part of its App Store Approval process.

"Appleʼs tel: handler causes Safari to ask the user for authorisation before placing phone calls," he writes on the Sans SSI security blog. "The most logical explanation for this behaviour is that Apple is concerned about its customersʼ security and doesnʼt want rogue websites from being able to place arbitrary phone calls using the customerʼs device.

"However, since the Skype application allows for such an abuse case to succeed, and given that Apple goes to great lengths to curate applications before allowing them to be listed in the App Store, should Apple begin to audit applications for security implications of exposed URL Schemes? After all, Apple is known to reject applications that pose a security or privacy risk to their users, so why not demand secure handling of transactions invoked by URL Schemes as well?"

Dhanjani makes it clear that Skype making phantom calls is just one possible scenario and that URL Protocol Handlers could be used to open any application without notification and perform registered transactions.

Really stirring the FUD pot, he concludes: "Given the prevalence and ever-growing popularity of iOS devices, we have come to depend on Appleʼs platform with our personal, financial, and health-care data. As such, we need to make sure both the platforms and the custom applications [running on] iOS devices are designed securely."