Web sites can launch iPhone applications without prompting

iPhone Teaser

Specially crafted web sites can launch iPhone and iPod Touch apps without the Safari browser asking the user for permission when certain URL protocol handlers (URL schemes) are called. For instance, according to security researcher Nitesh Dhanjani, a web site can use the iFrame to launch a Skype app and automatically call a number – provided that the user has saved Skype access data. Criminals would also be able to play around with a number of other applications. For a list of the protocols currently used in the iPhone, see the URL scheme index.

Dhanjani says that iOS devices apparently do not check in with protocol handlers registered by third-party apps added to the iPhone after purchase. If a web site calls one of the URI schemes registered by default in the iPhone, such as tel:1-408-555-5555, for the internal telephone app, Safari and / or the iOS displays a dialogue asking whether the user would like to make the call.

Dhanjani says that when he contacted Apple, Apple said that authorisation for certain activities is the responsibility of the app itself. In other words, the app’s developers have to implement authorisation to call a specific URI. But Dhanjani says that will be hard to do because the apps can also be launched outside of Safari after the decisive point when permission would need to be granted. Dhanjani therefore says that there should be a way of indicating whether Safari opens a prompt window when a URL protocol handler is registered. Furthermore, he says Apple needs to pay more attention to potential abuse when reviewing app security.



  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: