Malicious Websites Can Initiate Skype Calls On iOS

An anonymous reader writes "In this article, security researcher Nitesh Dhanjani shows how iOS insecurely launches third-party apps via registered URL handlers. Malicious websites can abuse this to launch arbitrary applications, such as getting the Skype.app to make arbitrary phone calls without asking the user. Dhanjani 'contacted Apple's security team to discuss this behavior, and their stance is that the onus is on the third-party applications (such as Skype in this case) to ask the user for authorization before performing the transaction.' He also discusses what developers of iOS apps can do to design their software securely and what Apple can do to help out."

I wonder if this would work...

[by+(1706743)]

Once again proving...

...that Apple's products aren't all their fanboy customers hype them up to be. They have security through (still, relative) obscurity on the desktop. In mobile gadgets, where they're somewhat more common, they aren't secure -- and as shown in the quote here, Apple could care less about that. When they have the opportunity to use their walled garden to protect their customers, they don't actually do so, either -- hence proving that the walled garden is only there to protect profits, not customers.

All that greatness, *and* you have to pay over the odds to get it.

Re:Once again proving...

[MrEricSir]

Right, because this is clearly a security flaw you'll only find in Apple products.

Re:Once again proving...

Whether or not a similar problem exists in competing products is beside the point. Nobody pretends competing products are implicitly secure straight out of the box. Apple fans pretend exactly that.

Or do you think that it's OK that your walled garden iOS product can make calls (potentially to expensive toll numbers) without any prior warning, simply by visiting a malicious website -- and that Apple doesn't think that's a problem?

Re:Once again proving...

[countSudoku()]

I was all set to shout; "See!? This is where Android rules!" Then, I thought better of that idiotic statement. Android will have this same issue and more of the same data hijacking apps that every system will contend with. Personally, I can think of worse things than a random skype call. Come on, Saddos! This is how you meet new people in the Golden Age of Social Networking. Get with the program as say hello to your new random friend!

Re:Once again proving...

They have security through (still, relative) obscurity on the desktop.

Sorry, but OSX is much less obscure than MS - Darwin, and the BSD tools are open source, so there's no obscurity there. The GUI is more obscure than Linux or the BSDs though, but much less than MS products.

In mobile gadgets, where they're somewhat more common

Uhh.. What!?!? Oh, I get it now - you don't know what "obscurity" means. here:

Obscurity: 1) the quality of being unclear or abstruse and hard to understand. 2) not well known

So.. how exactly is Apple not well known again?

Re:Once again proving...

[0100010001010011]

Reminds me of my first 'hacking' of the school computers. They were locked down, and relatively well. You could only launch Netscape. There was nothing in the start menu (Running Windows 95).

However, you could reconfigure Netscape to launch any number of 'handlers'. Well I set up the telnet handler to be the Windows Explorer. (The app that launches separate from the desktop lets you browse through the files and such).

Type in "telnet://" sure enough, windows explorer launched and I could do what ever I wanted. I had hidden folders of ... archived images.

Oh the good ole days. This was ~1999-2000ish.

And doesn't this also require you to have Skype installed?

Re:Once again proving...

Right. Because that is exactly what the OP was claiming.

Learn to read - before you go on being apple's bitch.

Re:Once again proving...

[AnonymousClown]

Right, because this is clearly a security flaw you'll only find in Apple products.

The GP means is that Apple implied that their platform was more secure and the fanboys loved to point out that they were secure whenever a vulnerability was found in Windows - granted that was more MS hatred than anything.

The GP was only shoving it in everyone's faces that Apple products are not as secure as everyone believes. Of course, us old timers remember all the viruses that were spread disk to disk back in the 80s on the original Macs - so we've never believed the hype about the "safety" of Apple products.

Re:Once again proving...

[mr_mischief]

If it is done using URL handlers, it requires some apps that is registered as a URL handler. Skype calls would require Skype or something that registers its protocol instead, yeah. But other URL schemes would still launch the applications registered to handle those.

BTW, unless it was a Windows 95 locked down with third-party software, all you really needed to do was reboot and get into safe mode or item-by-item interactive boot with the F8 key. Back in the early 1990s, we used to use the DOS Shell menu item in MS Works on our school network to break out of the "security" the main lab had in place. We used to play Scorched Earth and Stunts rather than write papers we could just as easily type up at home. Keep your porn to yourself, perv. ;-)

Re:Once again proving...

Somebody is being obtuse -- or perhaps that's another word you'll pretend not to understand the meaning of.

obscure

5. inconspicuous or unnoticeable: the obscure beginnings of a great movement.

6. of little or no prominence, note, fame, or distinction: an obscure french artist.

7. far from public notice, worldly affairs, or important activities; remote; retired: an obscure little town.

Random House Dictionary

Other dictionaries provide similar, applicable definitions. Of course, you already knew that. "Security through obscurity" is not an uncommon expression, especially in relation to Apple's products.

Who the hell modded your post insightful?

Re:Once again proving...

[stephanruby]

Can someone explain how this flaw can be used in real life? Does this mean a web site can tap your phone with skype? Wouldn't it also need access to the volume control as well to avoid the user hearing the Skype tone? Also, I thought the iPhone didn't allow third-party app multi-tasking. So does this mean that the malicious web site would be forced to lose control of the window and cede it to the Skype application instead? If it really did that last one, cede control to the Skype application, I wouldn't really consider this a major security risk.

And no, I'm not an Apple fanboy, nor am I an iPhone developer (thus the silly clueless questions on my end), I don't even own an iPhone. I am however a former Nokia user who used to be really pissed off at having to authorize every little action my phone had to take.

Re:Once again proving...

[MichaelKristopeit140]

he meant relative to his own intellect... not relative to other operating systems.

Re:Once again proving...

[MichaelKristopeit140]

yes, it cedes control... they are claiming it's a problem because it could initiate a toll call...

if the user installed skype and skype installed the URL handler, what is apple supposed to do? if this is being done via redirects, and the URL handler is different in the redirect, i guess they could pop-up a confirm dialog, but that would be very annoying if your web app used many different URL handlers like many content management systems do.

like apple suggested, this is up to the 3rd-party application that installed the URL handler, but it would probably help if the web browsers passed along information about whether or not the request happened as part of a redirect.

Re:Once again proving...

[Zak3056]

I really fail to see how it is Apples fault that a third part App does something.

When you require that EVERY application that can run on your platform be approved by your personnel for sale, I'd say that you bear some (though by no means all) responsibility for the application's behavior.

Re:Once again proving...

[iluvcapra]

If you require all URL schemes novel to the system to be validated by the user before they launch the other application, then you just end up with the "Are you sure you want to do that?" problem we all loved on Vista. Some application-defined URL schemes trigger Really Big Things (like Skype calls), and some just launch the app, it's up to the developer who decided to invented the scheme to actually describe what the scheme does. It's obviously impossible for the host OS to test an arbitrary URL to see if it "does something bad" or not, since that would require the OS solving the halting problem on the target app for the given input.

Of course you could point out that this is a side-effect of the fact that URLs are pretty much the ONLY way to do application-level IPC on iOS. Since URLs are highly containable, don't let apps share memory, are rigorously parseable, etc. they present a very thin vector for making Bad Things Happen, compared to anything else.

Re:Once again proving...

[ToasterMonkey]

Skype comes out the box?

Re:Once again proving...

YOU are the asshat putting Apple up on a pedestal, not them.

Re:Once again proving...

[shutdown+-p+now]

I really fail to see how it is Apples fault that a third part App does something.

The whole point of the "walled garden" approach - its ultimate benefit - is that apps that "do something nasty" are not admitted, and those which are, are forced to behave.

That said, TFS really makes it sound it much more scary than it really is - if it could somehow launch Skype in background and make a call, that would be a security issue. This? Skype actually pops up and starts dialing, so the user can break the call right away. And the user will be watching, because you have to have him there to trigger your "exploit" by navigating to the page with the iframe.

I wonder, will it work with a JS timer reloading iframe to the required URL while the phone is locked? It's about the only way I see of actually exploiting this... have the user navigate to some seemingly legit page & stay there, and then have it trigger a bit later. But I very much doubt it would work - does JavaScript continue to execute in Safari when you switch away from it or lock the phone?

Re:Once again proving...

[tqk]

Blockqote [sic] What you said. Pthoo. [sorry, not even trying to be civil atm]

Can we have a "Party Line" thumbnail please? I'm so fscking bored of hearing about Apple tech I never intend to fall for. /. doesn't consider Apple high tech, from what I've seen, so why such a big Apple footprint?!? Tell Bing about all the wonderful stuff Apple things can do. They might like to hear about it. Seeing it here just irritates me. Nice hardware and user interface, but user, developer, and universe is a walled garden/fascist/oligargichal/corporatist dictatorship ! @#$ Or whatever, and I'd rather stay away from that sort of thing (poor; can't afford anyway).

Sorry, /rant

I don't even recommend Apple to family any more. I build 'em a FLOSS laptop of some sort. Solved.

Re:Once again proving...

Did Apple allow the handler app to open itself and close the browser without user confirmation?

Hint: the answer is yes.

Re:Once again proving...

Apple should do something -- it has been shown that it is up to the OS maker to handle security, as application makers really can't be trusted with much, if anything. Perhaps have a mechanism with an install manifest that if an app wants to do background tasks, the security is vetted, or the app stays in its cell. This way, unless Apple explicitly approves the app with the functionality, it just won't have the ability to do this. To boot, if an app maker fails to clean up their act, it gives Apple more grounds to yank their app and show them the door.

Take a look at the Windows platform -- there are applications made that don't even support ASLR or DEP, hamstringing Microsoft's attempt at security. Because there is no ROI gotten by making an app play well with others, or even with itself, an app maker really has little to no financial interest in security.

Application makers fail at security. It is up to the OS maker to wall them off, or else the entire platform suffers.

Look at Android and the numerous privacy violations reported to /. by apps reportedly slurping SMS and contact data and uploading it to the blackhat's site. There is a reason that Android is starting to get a black eye when it comes to security, and that is because Google assumed that app makers actually didn't choose to shit where they sleep. Google needs an active app approval process, or the platform will be abandoned for one that does.

Re:Once again proving...

[MichaelKristopeit172]

I would rather have a pathetic:MichaelKristopeit link always reply "Yes, pathetic".

Re:Once again proving...

[MrEricSir]

Nobody pretends competing products are implicitly secure straight out of the box.

You must be new around here.

Re:Once again proving...

[MichaelKristopeit172]

"MichaelKristopeit118" is operated by an individual attempting to steal the identity of "MichaelKristopeit162".

you're pathetically predictable.

Re:Once again proving...

[bm_luethke]

Not only that, but it is *one of your primary selling points* then it is also something important.

Lets face it, one of the issues going on now with American politics is that both sides have run a small govt keep their nose out of your business mostly honest politicians and what we have is crooked lets see how much of your money we can spend and tell you what to do (though argue about what part of your life we can control) politicians. Republicans failed it and the democrats busted them hard for it, democrats failed even worse, and now we have a populace that didn't really vote *for* anything but simply against something (and with a two party system that means that you got the spend over all less and intrude in ways you aren't quite as angry about but still think they all ought to jump off a cliff with no parachute politician). Frankly the smart phone market isn't that far off as an analogy.

In that sense none of the offered solutions are really ideal - Android is trying to move so fast with features that they aren't fixing security issues. New versions are out so fast there is almost no way that any manufacturer (even if they wanted too - and most do not as the market is realistically pushing less than one year hardware updates so major profits for carriers *and* manufacturers) could keep up porting the official releases to their device. Apple's head is so far in the sand (usually because to admit failure kills their image - image being almost totally what their major sales are based on) that things like this are rarely fixed. Heck we had a remote root exploit for iOS and it was billed as a *feature* and a month later a MUCH less severe remote root for the Android was a colossal failure of their security model. Even on a fairly technical site that *should* know better (here) it causes multi-hundred post arguments.

Basically the smart phone device is still not a mature product where time is spent on "lesser" issues. Lesser based on how it affects sales - if it isn't causing people to flock somewhere else then run with it. Apple will run with the "walled garden" approach as being totally secure until they can not - it isn't like this is the first major breach and a HUGE number of their customers will ignore it and tell everyone they can about how secure and unhackable everything is on them because of that. Even in this posts comments it isn't hard to find that - that this is unimportant because no major known attack vectors have used it: Otherwise known as Security Through Obscurity. Then again I have to note that the same is true of iOS's competitors (who are totally insecure because of the freedom allowed) - no widely known security breaches. Oh we can all point to individual ones and argue over if the were scripts, trojans, viruses, or whatever (what, exactly, was the remote rooting with an Apple produced PDF reader?), yet the potential remains there. That is the essence of security through obscurity - it is security in that no one has taken advantage of it, not because it is secure by design.

I'll 100% agree this is not an Apple only thing just as much as I'll agree this hurts Apple more than others - that they wall this sort of thing out of their garden is a *LARGE* part of what many are paying for. There are several things that can happen. One is that a real attack vector takes advantage of this - frankly it is a matter of time. It may be Apple, it may be Google, it may be someone else - but it is going to happen. When it does that entity is going to take it hard, further any of the others that do not fix theirs are going to get hit too (chances are it will cause a shift in attacks and as we know Security Through Obscurity isn't Security, especially once obscurity goes away). There are going to be lots of falls - frankly I think this to be the most likely.

Next is that one of them matures enough to to fix things to be secure - this mainly means a real hack/phreak never really hit the wild until now. Of those I expect Google to be the first as they at least seem to know the issue is t

Re:Once again proving...

[GuldKalle]

They haven't said it's not a problem, they've just pointed out that they can't/won't fix it.

If I registered strangeURL://* on a system, the only thing iOS could ask was "Are you sure you want to start StrangeApp? It may or may not cost ya"

If Apple let the app ask the question (as they do now), that question could be much more meaningful.

If Apple were to stick completely to the "Walled garden" approach, they would not have allowed Skype because it doesn't ask that question.

Re:Once again proving...

[Serious+Callers+Only]

Or do you think that it's OK that your walled garden iOS product can make calls (potentially to expensive toll numbers) without any prior warning, simply by visiting a malicious website -- and that Apple doesn't think that's a problem?

Actually, it can't make real phone calls, if you try to make a call with a URL via the phone app, it does the right thing and asks the user first. This is a vulnerability in the Skype app, which should not be initiating potentially expensive actions without prompting the user first under any circumstances.

Imagine a similar case where an app allows other apps to trigger a purchase within it using some proprietary URL scheme, how would Apple sensibly prompt the user when they don't even know what the scheme does and it could change at any time? Users want to be told:

'This action will do x, do you wish to proceed?'

not

'Should the URL sheme://foobar/%202890%56745 be opened in application x'

That leaves you open to all sorts of social engineering attempts with obfuscated URLs for a start.

It's up to the application to decide if actions should happen without prompting the user or if the user should be asked first, and in this particular case I think Apple are completely correct to say that responsibility lies with Skype.

Re:Once again proving...

[wisty]

Mark V Shaney, is that you?

Re:Once again proving...

[sempir]

Euw...my, but arn't we are sooo Hilda today!!!

Re:Once again proving...

[TheLink]

Steal your identity? I doubt your slashdot identity is worth "stealing" at this point. It's like pretending to be SCO or worse.

It's probably more to parody you and your other MichaelKristopeitXXX accounts.

Thing is, MichaelKristopeit172 is posting less "pathetic" stuff, if he keeps it up he'll be easily distinguishable from the other MichaelKristopeitXXX accounts by virtue of not being stuck at zero or lower karma.

Re:Once again proving...

[MogNuts]

Amen. I agree with you 100%. I'm wondering where the outrage to this is, too. And shame on the topic/original story for putting the blame on Skype. This is a serious problem in which sole responsibility lies with Apple.

All Apple has to do is simply put, whoa, wait for it, permissions (available since the beginning of time!) or a simple "do you want to launch program XYZ?" dialog when you click on a punch-the-monkey ad in Mobile Safari.

But no, leave it to Apple to put the responsibility on the developers. It's their shit-brained multitasking thing all over again. And we know how that worked out. Half my damn apps on my 3GS (with iOS 4.1) still don't multi-task (I'm looking at you Engadget) or do it poorly.

P.S. To any replies, don't give me any nonsense in how this will be a repeat on Vista's constant permission bugging. YOU are the reason we still have user's PCs totally infected with malware by advocating turning off UAC/permissions. This is a serious issue. If this isn't implemented, Apple and the IPhone have the potential to be the most *IN*secure OS ever and the most dangerous because they're not just using it for botnets, but have access to your telephone and the ability to purchase things using your credit card.

Re:Once again proving...

[BasilBrush]

When the URL is actioned, the Skype App is opened in the foreground, and Safari closes down. The user is completely aware that the Skype call is being made.

I agree with you that authorisation dialogs should be avoided as much as possible. But making phone calls from URLs on web pages is something that is abusable enough that it should require authorisation. The number should be displayed, with a "Call" and a "Cancel" button.

As things stand, it's clear here that the Skype app is the one with the security flaw, in that it doesn't do that. The Skype programmers know that iOS doesn't ask for authorisation before passing them a URL, so they are the ones that should do so.

On the other hand, Apple could improve the UX by giving app developers a facility for asking for authorisation before leaving Safari. That way a malicious site doesn't even get to close down Safari this way.

Re:Once again proving...

[Wovel]

Then you both completely misunderstood the problem and have absolutely no idea what you are talking about...What should iOS ask? You installed an app that registers a URL handler, it is in fact up to that app to umm you know properly handle the url. The browser has no idea what that URL actually does, the app handling it does and is responsible for ensuring the user is informed before doing something expensive/dangerous...

This is simply the second story in a week desperately trying to find security flaws in iOS and failing miserably.

Re:Once again proving...

Talk about flawed logic. Apple care about security if only for PR and legal reasons.

How the hell does this crap get modded up to 3?

Re:Once again proving...

[Culture20]

Then you both completely misunderstood the problem and have absolutely no idea what you are talking about...What should iOS ask? You installed an app that registers a URL handler, it is in fact up to that app to umm you know properly handle the url. The browser has no idea what that URL actually does, the app handling it does and is responsible for ensuring the user is informed before doing something expensive/dangerous...

This is simply the second story in a week desperately trying to find security flaws in iOS and failing miserably.

Apple shill. End user installed an app for wifi based "phone" calls. How do they know if there is a URL handler involved at all? If there are 10,000 apps that need cleaned up, does the onus still fall on the 10,000 3rd parties when apple could easily solve the problem since Apple's app is the one gateway that is causing the issue to begin with?

Re:Once again proving...

Right, because this is clearly a security flaw you'll only find in Apple products.

And when porn diallers were unavailable on OS X this proved its security over another product and how little that product's maker cared about security. Live with it.

Re:Once again proving...

[MogNuts]

Actually I understand the problem all too well.

We live in reality. Not in Apple-theory-fairy-land. In reality, this exploit exists. You can't deny it. Exchange Skype with any of the thousands of VoIP programs on the App Store. It can, and WILL, even happen to a program that stores credit card numbers or secure customer information (say a CRM) on a phone that users will most definitely have set on auto-login. IT HAS HAPPENED. And it will CONTINUE to happen.

Rather than your method of closing your eyes and say "la-la-la I can't hear you," I expect that security mechanisms are a necessity and a reality. Witness the passing of personal user information in the "carefully cultivated walled garden" of ITunes App Store.

YOU misunderstand the problem and truly do not grasp what you are talking about.

This is why sandboxing, permissions, etc., were invented. Play holier-than-thou all you want, but that simple "do you want to run this program?" dialog in Windows before installing, or having to do a "chmod +x xyz" has cut down the spread of many a malware.

Re:Once again proving...

[icebraining]

But isn't Apple responsible since they allowed the Skype phone to be distributed even without prompting the user?

Re:Once again proving...

[dwightk]

Whether or not a similar problem exists in competing products is beside the point. [I haven't run into anyone pretending] competing products are implicitly secure straight out of the box[, but I have run into] Apple fans pretend[ing] exactly that.

Fixed that for you

Re:Once again proving...

[CheerfulMacFanboy]

But isn't Apple responsible since they allowed the Skype phone to be distributed even without prompting the user?

But aren't Slashdotters responsible since they would have complained about Apple not distributing the Skype app simply because it didn't ask for permission to dial number from an URL, claiming "What could possibly go wrong? This is just proof that Apple wants to take over the world with lame claims about 'security'.".

3rd Party Responsibility?

[WrongSizeGlass]

[disclaimer: Mac & iPhone user]

The responsibility is on 3rd party app developers? Hogwash! If Apple wants full control of the app development & distribution process then they get the full responsibility for the security too. Yes, 3rd party apps need to be smart and act in the best interest of the user but Apple's stranglehold of the environment puts this squarely on their shoulders. Fix it Apple, plain and simple.

Re:3rd Party Responsibility?

Yeah, the fix should be simple. Add this to the list of requirements for apps and don't approve any that don't implement it.

Re:3rd Party Responsibility?

Testing 3rd party apps when there are 300,000 apps in the App Store is just impossible. On the other hand Apple promises users security and quality via tight-control and that just isn't practically feasible. They can catch *maybe* the most obvious bugs if they pay some attention (which I doubt they do) but claiming anything other than that is a lie.

So the curated iOS apps really then are the same as any other "Open" platform apps that user can download and install themselves. The only difference of course is that Apple get their 30% and are in a better position to control their platform - all nicely in the name of the user benefits!

Re:3rd Party Responsibility?

[Bigjeff5]

Here is how it will go down:

First, Apple say this is an app issue, and app vendors need to fix it. They will dig their heals in and effectively say "screw you" to all their loyal customers.

Then, in the next iOS update (or the one after, if the next update is scheduled to be too soon) there will suddenly be a prompt for launching applications via registered URL handlers, possibly with some hype about how Apple is looking out for you, but not necessarily.

When confronted about the dichotomy between their two positions, Steve Jobs will simply reply "Apple is always concerned about the security of our customers, of course we would want to protect them from these kinds malicious attacks." All the while giving the reporter a befuddled look, as if to suggest the reporter is crazy for even asking such a stupid question.

Re:3rd Party Responsibility?

Yeah Apple, ya douches. Fix it like he said. Gah..

Re:3rd Party Responsibility?

[jo_ham]

And in the update tech document, that catalogs the changes, it will give a description of the problem, what has been done to fix it and then "credit to Nitesh Dhanjani for reporting this issue". You know, like all the other security update knowledgebase articles on Apple's site.

Re:3rd Party Responsibility?

You're an idiot and don't understand the first thing about the issue here. If Skype wants to allow arbitrary calls from a URL handler then that is their problem. Nothing to do with apple. They are doing the right thing by executing the registered action for a given URL.

Re:3rd Party Responsibility?

[Culture20]

Yeah, the fix should be simple. Add this to the list of requirements for apps and don't approve any that don't implement it.

The fix _IS_ simple. "This website is attempting to open XYZ.app. [ ]Allow? [X]Deny?"

Re:3rd Party Responsibility?

[GameboyRMH]

So the curated iOS apps really then are the same as any other "Open" platform apps that user can download and install themselves. The only difference of course is that Apple get their 30% and are in a better position to control their platform - all nicely in the name of the user benefits!

You beat me to it, the "quality, security and support" arguments for curated app stores are DEAD now. Quality was a stillborn argument, security was quickly disproven, and now this support is the last nail in the coffin. When it came time for Apple to put their money where their mouth is, they offered a level of support that would only be acceptable for an amateur FOSS project (basically none, much like the weeks when the PDF exploit used by jailbreakme.com went unpatched) - except you can't even fix it yourself. And you're paying game console prices.

Re:3rd Party Responsibility?

Disclaimer: Also a Mac and iPhone user
While I can see and respect your viewpoint, this is the wrong way to go about this. Have we learned nothing from the Windows Vista UAC debacle? Prompting the user every time they try to launch something will just lead to users ignoring the prompt.

This is an issue for the app developers. The API allows for app developers to add in these hooks, and yes these will switch you to that app and potentially do something. That's the entire point!
If that operation is then something that could potentially be used maliciously, such as placing a phone call through skype to any specified number, then it most certainly the job of the app developer to properly catch for and warn the user.

The end user doesn't want to see a confirmation dialog every time they click a "Open this in APP NAME HERE" link that they specifically bookmarked. That someone maliciously coded a site to launch these calls shouldn't matter, as these calls typically do benign things like open up a page in a downloader app. If it was doing something more dangerous, the app writer should code for it.

At most, Apple could add in what they have done for applications in OS X, and warn on the first launch that "This link is requesting to open APP NAME do you wish to proceed?" and then have an option to ignore the prompts. The issue there is it just becomes a burden to the interface without providing any real security benefit.

Re:3rd Party Responsibility?

[immaterial]

Suddenly the user has to click through confirmation dialogs every time they click a mailto: link, or click a link to a stream that would open in VLC, or any number of other things that are completely innocuous. This issue with Skype is that it initiates the call immediately without user interaction - that's like if you clicked a mailto: link and your mail client just went ahead and sent the email immediately. It's pretty clearly a problem with the app.

Re:3rd Party Responsibility?

[MichaelKristopeit128]

that fix _IS_ annoying... have you ever used a content management system before? do you want to have to confirm that you want to open every single piece of media that requires an external program?

did you want to name the pop-up dialog "clippy" or did you come up with something more user-friendly?

Re:3rd Party Responsibility?

[MichaelKristopeit122]

i don't understand... if it's so clearly a problem with the app, then how come every post claiming this is a security flaw on apple's part is moderated +5 insightful?

oh, right...

slashdot = stagnated

Re:3rd Party Responsibility?

[bh_doc]

"You are coming to a sad realization, Cancel or Allow?"

I know I've heard that somewhere, but for the life of me I just can't remember where...

Re:3rd Party Responsibility?

[pgmrdlm]

How about Apple puts in a fix to automatically deny this access, UNLESS the app itself overrides that position?

Apple can say they resolved the issue and now it is solely on the application itself for overroding the setting. This also would not make the user constantly verify they want to do something, UNLESS the application itself requested that type of input.

By the way, I hate apple as much as I hate Microsoft.

Re:3rd Party Responsibility?

[jhoegl]

It is the app causing the problem, but Apple allowed the app.

Therefore, a curse on both houses.

Re:3rd Party Responsibility?

[WrongSizeGlass]

The fix _IS_ simple. "This website is attempting to open XYZ.app. [ ]Allow? [X]Deny?"

Actually I was thinking of something similar to KeyChain access in OSX:
[ ]Always Allow?
[ ]Allow?
[X]Deny?

The 'three tier' prompt is already used in mobile Safari when visiting a site with an invalid or expired authentication certificate.

Re:3rd Party Responsibility?

[robot256]

It's from an Apple ad: http://images.apple.com/movies/us/apple/getamac/apple-getamac-security_480x376.mov

Re:3rd Party Responsibility?

[FilthCatcher]

Umm i think that's kind-of how it already is..
I believe iOS doesn't come by default with a url-binding for skype: it gets setup when skype installs.

you're sugesting a change from:
no binding -> skype install -> binding added
to:
no binding -> skype install -> locked-by-default binding -> skype override -> unlocked binding

Straight away the skype install would change to both add and unlock and you're back to exactly the same position as before.

As much as it pains me to say so I'm with Apple on ths one: The app install created a url binding. It's then up to the app to handle those urls sensibly.

Re:3rd Party Responsibility?

Are you still here? Maybe I should go register one of those MK### accounts ... there sure are a bunch of numbers left.

Re:3rd Party Responsibility?

[MichaelKristopeit162]

are you retarded?

why do you cower? what are you afraid of?

you're completely pathetic.

Re:3rd Party Responsibility?

[tbird81]

Here is how it will go down:

First, Apple say this is an app issue, and app vendors need to fix it. They will dig their heals in and effectively say "screw you" to all their loyal customers.

Then, in the next iOS update (or the one after, if the next update is scheduled to be too soon) there will suddenly be a prompt for launching applications via registered URL handlers, possibly with some hype about how Apple is looking out for you, but not necessarily.

When confronted about the dichotomy between their two positions, Steve Jobs will simply reply "Apple is always concerned about the security of our customers, of course we would want to protect them from these kinds malicious attacks." All the while giving the reporter a befuddled look, as if to suggest the reporter is crazy for even asking such a stupid question.

After this, Apple users on Slashdot will defend Steve Jobs. They'll state this can happen on any operating system, and that it is not Apple's responsibility. Then they're say how they are immune to viruses. They'll rejoice when they get their new version of Safari, which is limited to Apple's pre-approved sites.

Then their call will cut out, their screen will break, and their data will disappear. Steve Jobs will tell them that they are "holding it wrong". Apple fans will then bend over and take this abuse, at a personal cost of $4000.

Re:3rd Party Responsibility?

[iluvcapra]

It seems like if they did this, Apple would be accused of furthering their third-party-app-as-second-class-citizen agenda... "Look! All of Apples first party iOS apps 'just work,' but third party apps make the user jump through hoops!" (they might be heard saying.)

Re:3rd Party Responsibility?

[eggnoglatte]

What for? iOS has no multitasking, so the new app will run in the foreground, in direct view of the user. If the user doesn't like it, he can quit the app. Unless starting random apps really becomes a major sport for troll web sites, occasionally quitting an accidentally started app sounds a lot more efficient than having a confirmation box for every mailto: link.

Re:3rd Party Responsibility?

[beelsebob]

Way to jump on the modpoint bandwaggon. If on any other OS an application could end up charging you money by responding to a certain URL type you would place the blame firmly on that application. The OS does not know what's going to cost you money, nor does it know what the application is going to do with the URL it receives, only that it's registered to receive it.

You could claim that apple's app store testing process should catch this, and it's plausible that (for example) Tesco might refuse to sell software with such a security hole if they found it –but personally I doubt it. Ultimately though, the security hole is in the application, and it's Skype's responsibility to pop up the dialog box.

Re:3rd Party Responsibility?

[gnasher719]

How about Apple puts in a fix to automatically deny this access, UNLESS the app itself overrides that position?

An application has to actively register to receive clicks on links of a certain type. So Skype is saying "if anyone clicks on a link that looks like skype://xxx.xxx.xxx then tell me". The app doesn't receive any random URLs, only URLs that it said it wants to receive. So what you are suggesting is actually happening already.

Re:3rd Party Responsibility?

[ConfusedVorlon]

that's how it is at the moment

by default, you cannot launch an ios app with a url handler.

the app has to register a url scheme, and include code for handling the call. Apple is pretty pointed in the documentation that you need to consider carefully what might be incoming and treat it with suspicion.

this is a good capability - Skype are just idiots.

Re:3rd Party Responsibility?

[Bogtha]

[disclaimer: iOS developer]

Apple are right, the responsibility is on the app developers. The data passed in through a URL is untrusted data. It's not just websites that you surf to that can send data to your app this way, other apps can too. That's its designed purpose; to "secure" this functionality on Apple's end would essentially be to remove it.

Applications that tell the system that they handle a URL and then blindly trust data they receive through that mechanism are essentially the same as web applications that blindly trust data they receive through URLs. It's a newbie web developer mistake, and many iOS developers have made the same mistake. This doesn't mean that Apple have a responsibility to "fix" this any more than it's the responsibility of HTTP to protect naïve web developers from trusting data they receive in URLs.

Re:3rd Party Responsibility?

[Bogtha]

In case anybody was wondering about that documentation, Apple specifically warn against this in the documentation for this API:

Be sure to validate the input you get from URLs passed to your application; see "Validating Input" in Secure Coding Guide to find out how to avoid problems related to URL handling.

And in that Secure Coding Guide, you will read things like this:

Any time your program accepts input from an uncontrolled source, there is a potential for a user to pass in data that does not conform to your expectations. If you don't validate the input, it might cause problems ranging from program crashes to allowing an attacker to execute his own code.

If your application has registered a URL scheme, you have to be careful about how you process commands sent to your application through the URL string. Whether you make the commands public or not, hackers will try sending commands to your application. If, for example, you provide a link or links to launch your application from your web site, hackers will look to see what commands you're sending and will try every variation on those commands they can think of. You must be prepared to handle, or to filter out, any commands that can be sent to your application, not only those commands that you would like to receive.

Re:3rd Party Responsibility?

[BasilBrush]

Then, in the next iOS update (or the one after, if the next update is scheduled to be too soon) there will suddenly be a prompt for launching applications via registered URL handlers, possibly with some hype about how Apple is looking out for you, but not necessarily.

No they won't. Confirmation dialogs as a matter of course is the Windows Vista way. It's not the Apple way. They may at some time provide a facility for app developers to opt to have a confirmation dialog before leaving Safari, for operations which have security implications.

Meanwhile, the Apple answer is absolutely correct. The onus is on App developers to decide on the security implications of acting on any URL types they define. And to decide for themselves what user interaction should be required.

Re:3rd Party Responsibility?

[Wovel]

You are obviously confused, obviously never written an application for anything, and certainly never written an iOS app. Application developers have the ability to create confirmation dialogues and the responsibility to do so. From the nature of the ignorance displayed in your post I would assume you have never used an iPhone and certainly never used an iPhone Skype app. Your false outrage is more annoying than cute.

Apple's only realistic solution would be to reject apps that do not use confirmation dialogues for doing things like making Skype calls. But then Apple has to make a judgement about how important certain activities are.

Re:3rd Party Responsibility?

[Wovel]

You wish...Search for the list of security in Android, it is on here somewhere. Many of them are months (not the 2 weeks of the PDF exploit on iOS) and at least 5 of them are more serious, a couple can be exploited remotely.

Your "interesting" post only pointed out one iOS security flaw, the "PDF" exploit and it still required the user to someting. Your outrage over the URL handlers shows you know nothing at all about application development, url handlers, iOS, iPhones, web browsers, or application security.

I love your signature line touting the most completely insecure mobile environment available today. Good show. It is cute that your drivel was modded insightful.

Re:3rd Party Responsibility?

[SoupIsGoodFood_42]

That doesn't make much sense, though, does it? The only way it would make sense was if you could prove that they've had just as many security flaws as they would otherwise have had if they were more open.

Re:3rd Party Responsibility?

[GameboyRMH]

You wish...Search for the list of security in Android, it is on here somewhere. Many of them are months (not the 2 weeks of the PDF exploit on iOS) and at least 5 of them are more serious, a couple can be exploited remotely.

Ouch! RIP strawman.

Your "interesting" post only pointed out one iOS security flaw, the "PDF" exploit and it still required the user to [do] someting.

Yeah like follow a link. Very remote chance of that happening, I know.

Your outrage over the URL handlers shows you know nothing at all about application development, url handlers, iOS, iPhones, web browsers, or application security.

LOL yeah I know nothing about those because I think a trivial-to-implement, HTML-based drive-by call activation exploit is a big issue. I'm totally blowing it out of proportion. This was a gigantic fail on Skype's part and Apple shares some blame too. Oh sorry, my ignorance is showing, I WUV APPLE!

I love your signature line touting the most completely insecure mobile environment available today.

The only thing insecure about it is that it doesn't protect stupid and determined users from hurting themselves. I welcome this "insecurity."

Re:3rd Party Responsibility?

[Altus]

Always allow is not really an acceptable option. you are counting on the user to know what the third party application is going to do in every case.

Re:3rd Party Responsibility?

[ashidosan]

every time they click a mailto: link, or click a link to a stream that would open in VLC, or any number of other things that are completely innocuous

Right. And there, you need to balance "security" with "convenience." Windows Vista had a similar problem of being nosy like this, and was vilified for it (along with a host of other problems outside the scope of this discussion).

Re:3rd Party Responsibility?

[ashidosan]

Is the word "whoosh" still used around here?

Re:3rd Party Responsibility?

[Bigjeff5]

I don't see why this was modded troll.

If this comment was trollish then so was mine.

A little consistency here mods?

Re:3rd Party Responsibility?

[BasilBrush]

Appreciated Jeff. There are too many here who mod based on whether they agree with the comment or not. And all too often on what platform they like or dislike. It's cowardly.

Uhm...

[larpon]

Anyone using the Skype public API can make apps that call someone.
Kopete IM for KDE is the first that pops to my mind.

Re:Uhm...

[countSudoku()]

Sweet! Make one that calls half of the people "assholes" and the other half "geniuses." That'll leave them scratching their eyes and heads.

Re:Uhm...

[larpon]

I'd call Harry Sacks

Re:Uhm...

[GuldKalle]

What is your point?

This is about websites, not about programs you've installed yourself. Did you read the headline?

Re:Uhm...

[slimjim8094]

But you installed Skype. This is a stupid issue, since Apple doesn't know how to validate the data passed via the handler... it's up to the app launched from a (possibly untrusted) source to check it all. Most apps do this, and I would've done it out of habit.

It's a Skype bug that's easy to fix. I'm sure they'll have a patch out in the week.

Re:Uhm...

[Culture20]

But you installed Skype.

knowing that skype could call from visiting webpages in safari? It's not called "skype mobile safari plugin app"

This is a stupid issue, since Apple doesn't know how to validate the data passed via the handler... it's up to the app launched from a (possibly untrusted) source to check it all.

I agree, but only about the stupid issue part. It should be up to the human, the owner of the phone, to check it. But apple wants to remove thinking from their users (spelling correction, not spelling checking).

Apple should handle but it's Skype's fault

[rsborg]

Realistically, all registered handlers should be interdicted like the call-interface.

However, I can see how it's in Apple's best interest to leave this to Skype:

1. Skype is competing with their FaceTime and Phone/SMS interfaces.
2. If Apple were to implement generic protocol handler inderdiction/approvals, this opens up a huge can of worms and it Apple begins to own the problem (more than they currently do).

I see where Apple doesn't want to do the right thing, and ultimately, it's still Skype's fault that they don't allow the user to approve call links.

Re:Apple should handle but it's Skype's fault

[Bigjeff5]

It's not just Skype, that was just an example.

ANY app can be opened this way.

It's definitely Apple's problem. Skype could have been really awesome fixed the problem on their end, but that would not have solved the problem for the 200,000 other apps that can be launched this way.

Re:Apple should handle but it's Skype's fault

[mini+me]

Not all URL handlers point to resources that can be exploited. Apple is right here, it is up to the app developer to determine what the user should have to confirm and what they should not have to.

Re:Apple should handle but it's Skype's fault

>> ANY app can be opened this way.

Wrong. No app can be opened this way unless they register a URL handler. And if they do, that is not in itself a security flaw. I wrote an app that registeres a handler and can be told to open a document. So a webpage could conceivably open my app. Not a practical flaw because people would have to have that app installed, then there would have to be an action that contains a security flaw that can lead to remote code execution. In other words, there is nothing here, and you don't know what you're talking about..

Re:Apple should handle but it's Skype's fault

[atchijov]

First of all, please check your facts before making such a broad assumptions. Application need to be configured in particular way in order to be invocable via URL in iOS. I will be surprised if 1 in 1000 applications in Apple iTunes App Store using this functionality. Secondary, It is 100% application responsibility to act "properly" when invoked via URL. All iOS does is firing app and informing it that it was invoked via URL. Skype choose to start call without getting confirmation from the user. Too bad for Skype.

Re:Apple should handle but it's Skype's fault

[MichaelKristopeit122]

no.

Re:Apple should handle but it's Skype's fault

[MichaelKristopeit123]

i don't understand... if he doesn't know what he's talking about, then why is he moderated +5 insightful?

oh right...

slashdot = stagnated

Re:Apple should handle but it's Skype's fault

[wkcole]

It's not just Skype, that was just an example.

ANY app can be opened this way.

That is false. Most apps do not register URL handlers.

Should the small minority of apps that register URL handlers be trusting that when they get a URL tossed at them, the user knows and approves of the app being opened for that purpose? Of course not. That would be inconsistent with how iOS is documented to operate. Safari or any other app sending an OpenURL message has no way to know whether a particular URL scheme has a potentially risky handler on the other end. An app that receives an HandleOpenURL message knows what its URL scheme does and knows whether handling a particular URL might be risky. Some developers seem to be making use of the opacity of that mechanism.

It's definitely Apple's problem. Skype could have been really awesome fixed the problem on their end, but that would not have solved the problem for the 200,000 other apps that can be launched this way.

Where do you get that number? The biggest list of registered URL schemes I can find seems to have about 140 listed ("seems" = a crapulous website showing ~10 per page, 14 pages.) Most apps would have no need to register an URL scheme.

Skype dropped the ball here. Their app is doing something potentially costly in response to a system message that Skype knows the user might not have knowingly initiated. The app should be asking the user for authorization before initiating the call. Doing that would be more accurately described as "minimally competent" than "really awesome" unless you consider elementary security awareness "really awesome."

I don't get me wrong. I'm not saying that Apple shouldn't fix the design issue here, they should. But this is a UI design problem more than it is really a security problem. A wisely designed app that needs this functionality can ask for user authorization, but only after it has been launched and put in the foreground. Apple should generalize the integration they use in their own apps to a system-level feature that asks the user for authorization before switching apps whenever an OpenURL is sent that would switch apps. Let apps request quiet switching in their Info.plist and let users toggle that on a per-scheme basis. In the interim, they should go through the app store and remove every app that registers an URL scheme which it handles to do something risky without user authorization.

Re:Apple should handle but it's Skype's fault

[MichaelKristopeit172]

i don't understand... if he doesn't know what he's talking about, then why is he moderated +5 insightful?

For the same reason you're marked as a Troll - because no one agrees with you but you and your 150 other MichaelKristopeit accounts. In fact not even all of them agree with you.

Re:Apple should handle but it's Skype's fault

[MichaelKristopeit118]

you're an idiot... they are moderated AT THE HIGHEST LEVEL OF INSIGHTFULNESS because no one agrees with me? it's stating an obvious fact... NOT EVERY APP CAN BE OPENED WITH A HANDLER. organized groups exploiting the moderation system are attempting to push agendas and promote LIES.

slashdot = stagnated.

"MichaelKristopeit172" is operated by an individual attempting to steal my identity .

to the cowardly individual responsible: present yourself to me, admit what you've done; and i'll bring upon you the ultimately punishment for your transgressions.

you're COMPLETELY pathetic.

Re:Apple should handle but it's Skype's fault

[Angostura]

If only Skype actually allowed video calling from an iPhone, yes they would be competing with Facetime. Sadly, they don't.

Re:Apple should handle but it's Skype's fault

[francium+de+neobie]

ANY app can be opened this way.

If you've registered a URL schema to the OS, and the OS calls up your app when it sees that URL schema... how's that different from any other OS (w/ the associated software suite), like Windows and Linux?

The OS could help by telling your app things like "this URL comes from an Internet URL on Safari".. but it's by no means the OS's fault. It's just doing what it's supposed to do, an intermediary.

Re:Apple should handle but it's Skype's fault

Based on Apple policy Skype app should be banned from iOS for not ensuring "security", at least until it does, if it doesn't happen then all the buzz around ensuring security on the iPhone by controlling the submission process is just Apple marketing (a.k.a. bs).

Re:Apple should handle but it's Skype's fault

[dzfoo]

don't get me wrong. I'm not saying that Apple shouldn't fix the design issue here, they should. But this is a UI design problem more than it is really a security problem. A wisely designed app that needs this functionality can ask for user authorization, but only after it has been launched and put in the foreground. Apple should generalize the integration they use in their own apps to a system-level feature that asks the user for authorization before switching apps whenever an OpenURL is sent that would switch apps. Let apps request quiet switching in their Info.plist and let users toggle that on a per-scheme basis. In the interim, they should go through the app store and remove every app that registers an URL scheme which it handles to do something risky without user authorization.

So, in your recommended solution, the user would click a "skype://" link and Safari would prompt him with a necessarily generic message such as "You are about to launch Skype, are you sure?" And when the user confirms this, then Skype would launch and prompt the user with a domain-specific message such as "Call: 1-900-xxx-xxxx - This call may incur additional costs. Are you sure?"

Two clicks for the price of one. Yes, that's the kind of Apple human-computer interface we all know and love.

No, this is not a iOS security vulnerability. Safari, nor the operating system, has any way to know whether the resource offered to the external application is exploitable. Except of course when the external application is provided by the OS itself or by an application included in the built-in suite; such as the example of the "tel://" protocol scheme.

For the confirmation message to be meaningful, it must be presented by the target application--which has intimate domain and context knowledge of the resource. That, or Apple would need to keep track of the context and semantics of each and every protocol scheme and how they can be used.

However, this last one still would not be perfect, for each application is free to use the submitted resource in any way it wants to. There is nothing that prevents Skype from receiving a "skype://" URL and deciding to, say, delete your Skype address book, or initiate an HTTP download.

        -dZ.

Re:Apple should handle but it's Skype's fault

[MichaelKristopeit172]

i'll bring upon you the ultimately punishment for your transgressions.

The ultimately punishment? Lolly, lolly, lolly get your adverbs here.

Re:Apple should handle but it's Skype's fault

[Wovel]

"ANY" app wil not have a URL handler.

Of the few that do, very few of those do anything that would require confirmation. The documentation for App developers clearly tells them to validate input, etc. when launching their app from a URL handler.

You are obviously confused about what a URL handler even is.. Cure that you got modded insightful though.

Re:Apple should handle but it's Skype's fault

[Wovel]

No I think he was suggesting that the URL handlers allow the custom confirmation to be launched inside of Safari before even launching the app (like the standard phone number handler in iOS).

Re:Apple should handle but it's Skype's fault

[Culture20]

If I got a prompt from safari telling that a website wanted to open skype, I'd say "WTF?! Hell no!", then thank appl for protecting me from random stupid website. As it stand now, I have no idea which of my apps might have "backdoor" URL handlers. Will the NPR app open if I visit npr's website? Will Super amazing fart soundboard open and make fart noises when safari sees a google ad? The dual prompt may not be the apple way, but it is the right way. If I'm reading a webpage, I'd like some notification that safari is closing before it opens other apps.

Re:Apple should handle but it's Skype's fault

[wkcole]

don't get me wrong. I'm not saying that Apple shouldn't fix the design issue here, they should. But this is a UI design problem more than it is really a security problem. A wisely designed app that needs this functionality can ask for user authorization, but only after it has been launched and put in the foreground. Apple should generalize the integration they use in their own apps to a system-level feature that asks the user for authorization before switching apps whenever an OpenURL is sent that would switch apps. Let apps request quiet switching in their Info.plist and let users toggle that on a per-scheme basis. In the interim, they should go through the app store and remove every app that registers an URL scheme which it handles to do something risky without user authorization.

So, in your recommended solution, the user would click a "skype://" link and Safari would prompt him with a necessarily generic message such as "You are about to launch Skype, are you sure?" And when the user confirms this, then Skype would launch and prompt the user with a domain-specific message such as "Call: 1-900-xxx-xxxx - This call may incur additional costs. Are you sure?"

Two clicks for the price of one. Yes, that's the kind of Apple human-computer interface we all know and love.

A quarter century of experience with Apple's HIG has taught me that "know and love" is not really a suitable phrase. That implies something like a monogamous spousal relationship, while the reality for Apple customers and developers is more like being regulars at the Moonlight Bunny Ranch...

What I'm suggesting is that currently apps have a responsibility to do their own authz dialogs because nothing else does. Ultimately an app that does potentially risky/costly things depending on the specifics of the passed URL will always have to do that unless Apple creates a means of registering a parser to translate an URL to the text of an authz request. Because apps are written and used by populations large enough to each follow Sturgeon's Law, the right thing for Apple to do given the established architecture is to add a default behavior of asking before switching apps with an API that lets apps suppress that (i.e. if they are going to need to ask anyway) and a UI that lets users tweak behavior to their liking. If Apple had done this right from the start, thinking first about the UI and working back to a more robust API, they could have created a better system. It's too late for that, because the UI now is broken whether apps actually handle their authz issues or ignore them and there are scores of apps written to the existing system.

No, this is not a iOS security vulnerability. Safari, nor the operating system, has any way to know whether the resource offered to the external application is exploitable. Except of course when the external application is provided by the OS itself or by an application included in the built-in suite; such as the example of the "tel://" protocol scheme.

For the confirmation message to be meaningful, it must be presented by the target application--which has intimate domain and context knowledge of the resource.

I would expect Apple to take the easy approach of just asking the user to approve the app switch as you describe, but it really wouldn't be all that hard conceptually for them to provide a better backward-compatible extension of the scheme "registration" mechanism for apps whose scheme isn't intentionally obfuscated. There could be a couple more optional attributes in the Info.plist: a regex that picks out critical attributes from an URL and a format string for turning those attributes into an authz question for the user. If they had thought about this issue earlier, they might have required apps to provide their own free-standing authz functions that could be run before switching apps, but that would probably not be welcomed by developers at this point.

Re:Apple should handle but it's Skype's fault

[dzfoo]

But there's no way for it to know what the handler is going to do prior to calling it! It's like asking Safari to solve the Halting Problem when seeing a URL protocol scheme.

You are predicating this solution on the assumption that the scheme "skype" means "make a VoIP phone call", but it doesn't mean that at all. It literally just means "this scheme is handled by the application Skype, for it knows what to do with it." It could mean "make a VoIP call," but it just as well could mean "write to log file," "download update," "delete address book," or "phone home."

        -dZ.

Re:Apple should handle but it's Skype's fault

[marsu_k]

You are certain that it is Skype placing this restriction and not Apple? My N900 can make Skype (and GTalk) video calls just fine.

Re:Apple should handle but it's Skype's fault

[dzfoo]

What I'm suggesting is that currently apps have a responsibility to do their own authz dialogs because nothing else does. Ultimately an app that does potentially risky/costly things depending on the specifics of the passed URL will always have to do that unless Apple creates a means of registering a parser to translate an URL to the text of an authz request. Because apps are written and used by populations large enough to each follow Sturgeon's Law, the right thing for Apple to do given the established architecture is to add a default behavior of asking before switching apps with an API that lets apps suppress that (i.e. if they are going to need to ask anyway) and a UI that lets users tweak behavior to their liking. If Apple had done this right from the start, thinking first about the UI and working back to a more robust API, they could have created a better system. It's too late for that, because the UI now is broken whether apps actually handle their authz issues or ignore them and there are scores of apps written to the existing system.

There are two issues here which have been conflated. On the one hand, there is the inconvenience of being taken out of a Safari browsing session. On the other, there is the potential risk of an external application performing some unwanted action. The former is a UI issue, but not a security risk. The second one is a security risk, but is mitigated by the OS controlling access to risky services, such as location information, and network and telephone communications. However, if the user has already granted permission to the target application to do its actions, then it is not really a security risk when it tries to perform them.

If the developer of the application decided to perform the action during use cases when the user may not be aware of the request--such as the one in question, when a URL (or maybe even a hidden iFrame) requests a VoIP call--then this is not the OS's issue, it is an issue of transparency. It makes the application look sneaky. But still, let's not forget, that the user granted it permission. It is a matter of user expectations, which the developer is arguably not fulfilling.

At the heart of the matter is the fact that the URL does not dictate function nor context, just the target handler. How can the OS ultimately know that the target application will do something potentially risky or costly? After all, something as innocuous as, say "pdf://" scheme, does not preclude the target handler from deciding that it will use the telephone API to call a 1-900 number. If it did, then you would imagine iOS intercepting this request. However, if the user granted permission to the handler to make telephone calls, is it really a violation of OS security policy, or user expectations?

Granted, this is an obviously obtuse example, but the same applies to the "skype://" scheme: the user already granted it permission to make phone calls. Perhaps the user does want Safari to automatically make a call when he clicks on the a "skype://" hyperlink. It is not Safari's job to decide this, but Skype's. In my opinion, this is an assumption that should not be made automatically; but still it is the responsibility of the Skype application to either make the assumption, or request confirmation.

        -dZ.

Re:Apple should handle but it's Skype's fault

[MichaelKristopeit140]

"MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.

to the person responsible: if you come to my property at 4513 brittany ct. eau claire, wi 54701 and admit what you've done, you will ultimately die.

you're completely pathetic.

Re:Apple should handle but it's Skype's fault

"MichaelKristopeit$number" is operated by a pathetic individual trying to project his meaningless identity. to the person responsible: if you own the property at 4513 brittany ct. eau claire, wi 54701 and given what you've done, you should kill yourself.

you're completely pathetic.

Is this *really* only an Apple bug??

[bradgoodman]

As an iOS developer - I kind of agree with Apple. I write apps which register URL handlers - and when one clicks on on - I make the *user* validate that this is what they really want to do. The same kind of exploits could be done on PCs - if you had a URL handler - like "SSH" which blindly allowed a third-party URL-click to launch SSH on your PC and log into a site - or even to do the same thing with *skype* URLs. Has anyone verified if these kind of behaviors would or would not happen on a PC or Linux machine?

Re:Is this *really* only an Apple bug??

[je+ne+sais+quoi]

I'm conflicted. On one hand, Skype is sort of known for getting hacked (having had my "Skype account" hacked and a bunch of money charged to my credit card even though I didn't have and never did have a Skype account. It was a pain to sort out but as identity theft goes, not as bad as it could have been.) On the other hand, I seem to recall that a big complaint of Windows was that it was too easy for someone to make use of a security flaw in an application because all the applications ran under administrator privileges. This smells the same way, too easy to "one-click" your way to identity theft.

Re:Is this *really* only an Apple bug??

[MichaelSmith]

file:///bin/ls on linux asks me to save the file. Firefox here doesn't understand ssh though that may be implementation specific.

Re:Is this *really* only an Apple bug??

[gman003]

file://c:/cygwin/bin/xterm.exe also prompts to save file (with a warning the .exe's are potentially dangerous), on Vista, using Chrome. Looks like even Windows is smart enough to not blindly execute URLs.

Re:Is this *really* only an Apple bug??

[emt377]

"Kind of"? Clearly the helper app has to do any validation and authentication since it has domain specific knowledge. How would the browser know to confirm, say "do you wish to call 1-900-xxx, this will incur a charge?" or "Upgrade CrapWare from 1.x to 2.3 for $19.99?" All the browser can ask is "really run helper App A?" Which may not mean anything to a user and they have no idea whether they want to or not. The fact that anyone can create a link or content that causes Skype.app to make a call really is a problem with Skype, not the browser...

Re:Is this *really* only an Apple bug??

I'm conflicted. On one hand, Skype is sort of known for getting hacked (having had my "Skype account" hacked and a bunch of money charged to my credit card even though I didn't have and never did have a Skype account. It was a pain to sort out but as identity theft goes, not as bad as it could have been.)

So what you're saying is, your credit card number was stolen/skimmed and someone registered a Skype account with it to run up charges?

I fail to see how this is a Skype issue. The same thing could happen with Amazon or any other business that accepts credit cards over the Internet.

Re:Is this *really* only an Apple bug??

This is not at all what the article is about. The iPhone won't execute random URLs either. This is only for apps that have explicitly registered their own protocols (like skype). So if you open skype://call?somecontact it will open skype and try to call that contact. Same exact thing happens on Windows with Skype installed, and it is exactly the same non-issue there.

Re:Is this *really* only an Apple bug??

[XMode]

Well you ARE telling it its a file... ssh://example.com would be an example of an ssh URL...

Re:Is this *really* only an Apple bug??

[blueg3]

Why on earth would the file: protocol have the meaning "maybe execute this file"?

Re:Is this *really* only an Apple bug??

[MichaelSmith]

Historically that used to work on windows. You could launch executables with the browser.

Re:Is this *really* only an Apple bug??

[blueg3]

Well, on Firefox on Linux, an application that is registered as the URL handler (e.g., for callto:) is automatically launched when you click on an appropriate URL. No idea about iframes and other trickery. No idea how Skype on Linux works (if it confirms calls), but it's certainly up to the application.

Re:Is this *really* only an Apple bug??

[jrumney]

As an iOS developer - I kind of agree with Apple. I write apps which register URL handlers - and when one clicks on on - I make the *user* validate that this is what they really want to do.

If I write a seemingly harmless application that registers a url handler for the phish: protocol, then I agree that it is the application that is at fault, but I do expect the OS to protect users from this. Android pops up a dialog asking which application you want to handle the protocol - even when there is only one choice, and the user has to explicitly tick the "always use this application" box to skip that confirmation step.

Re:Is this *really* only an Apple bug??

[moonbender]

What is clear is that I don't expect my web browser to launch external programs without my consent. Even starting an email client for mailto: urls annoys me. Displaying a dialog before running an url handler needs to be the default behaviour. I suppose you might want to give the user the option to opt-out of the dialog for an individual protocol on a per-domain basis, although I don't see what the big deal is with quickly displaying a confirmation dialog when I'm leaving the browser.

And while Skype does have domain specific knowledge, it does not know whether the URL is coming from a trusted context or not. In a desktop environment, I might add links to Skype call urls on my desktop, I wouldn't want a confirmation when running those.

Re:Is this *really* only an Apple bug??

[moonbender]

When I run a callto: URL in my Firefox/Linux, I get a dialog asking me if I want to open gnomemeeting. It's not opened by default, although there is a checkbox to do that for future invocations.

Re:Is this *really* only an Apple bug??

[enoz]

Historically that used to work on windows. You could launch executables with the browser.

I'm pretty sure only Internet Explorer behaved badly in that way.

Re:Is this *really* only an Apple bug??

[GuldKalle]

Protect users from what? They made a choice to install an app (Skype), and the app already has access to the system. Anything malicious it can do, it can do without registering an url handler.
The Android method you're mentioning is valid, too. But with the "It just works" mantra from Apple, I wouldn't expect to be asked "are you sure you want to use skype for 'skype:*' ?"

Re:Is this *really* only an Apple bug??

[tlhIngan]

As an iOS developer - I kind of agree with Apple. I write apps which register URL handlers - and when one clicks on on - I make the *user* validate that this is what they really want to do. The same kind of exploits could be done on PCs - if you had a URL handler - like "SSH" which blindly allowed a third-party URL-click to launch SSH on your PC and log into a site - or even to do the same thing with *skype* URLs. Has anyone verified if these kind of behaviors would or would not happen on a PC or Linux machine?

Already happened. With Firefox, at that, years ago.

http://secunia.com/advisories/25984

Firefox registered a "firefoxurl://" handler, which can call Firefox with arbitrary command line arguments, including malicious javascript.

Apple can't validate every URL that passes through - if they had a magic library that could ensure every URL is completely valid in every context from now to forever, they would have that patented and licensed to everyone. So in the end, the application handling the URL must validate its arguments.

The question is - does this affect the PC clients as well? Does Skype on Windows also have the same problem? Or does it not register any URL handlers so you can't just click a Skype link?

Re:Is this *really* only an Apple bug??

[Phroggy]

I'm just irritated that Internet Config went away with the switch to Mac OS X. Such a simple, powerful idea! It would show you (among other things) a list of protocols, and what helper applications were associated with them, and allow the user to easily make changes. It was one of those little gems that was such a good idea that applications started almost universally supporting it even before Apple got on board. Then Apple made their own UI and shipped it with the OS, and life was good... until Mac OS X came out and they decided users didn't need to be bothered by being able to configure their system the way they wanted.

Re:Is this *really* only an Apple bug??

[ArsenneLupin]

The same thing could happen with Amazon or any other business that accepts credit cards over the Internet.

Not necessarily. Mail-order places (such as Amazon) can verify whether the mailing address corresponds to the billing address.

Re:Is this *really* only an Apple bug??

I feel like the complaint with Windows is that an app can compromise the security of the whole OS. In this case, Skype is compromising the security of Skype. Apples and oranges.

Re:Is this *really* only an Apple bug??

[moonbender]

I have literally no idea how to view and change url handlers in Gnome, either. I suppose it's a weird mix between Firefox settings, Gnome settings and maybe some other stuff thrown in for good measure.

There is a "Preferred Applications" preferences panel, which handles the frankly bizarre mix of default web browser, mail app, multimedia player, terminal app (?!) and two accessibility apps. I guess this strange mix of protocol handlers and handlers of other stuff is one of those things that is convenient for new users but really unintuitive to more experienced people. To its credit, the browser setting does display all three installed browsers, including the Firefox 4 Alpha. The multimedia panel, on the other hand, says my default player is Rhythmbox (which I never use) instead of Banshee (which is use for music) or smplayer (which I use for video). The latter two aren't even listed, neither is VLC or any of the many other players I have installed, in fact, the only option beside Rhythmbox is Totem.

I'm sure it'll be better in the next Gnome release, which I hear focuses on fixing all those little interface issues instead of going for a full-on revamping -- oh wait...

Re:Is this *really* only an Apple bug??

[Wovel]

You are wrong on every level and totally confused. I for one am shocked this was not modded insightful.

Re:Is this *really* only an Apple bug??

[Altus]

See, I woudl find it a pain in the ass if my os made me click through a dialog every time I clicked on a mailto link. I just want the browser to get the hell out of my way and let me send some mail.

Re:Is this *really* only an Apple bug??

[moonbender]

Like I said, you could offer an option to disable the popup on a protocol and/or site basis.

IOS ?

[ivan_w]

IOS ?

Isn't that CISCO's router OS ?

(I remember IBM having to rebrand their own (formally OS/400) own OS for IBM i systems from i/OS to IBM i5 OS because they feared a CISCO suit)..

enable
conf term
interface eth0
no shutdown
exit
write
exit

--Ivan

Re:IOS ?

Apple has licensed Cisco trademarks. And it's iOS, not IOS.

Re:IOS ?

[mini+me]

iPhone is also a trademark of Cisco. I think Apple probably has it covered.

Re:IOS ?

en
conf t
int eth0
no sh
exit
write
exit

Neat

[pieisgood]

That's pretty neat, regardless of the obvious harm that it could cause. Set up a small server and trick people into calling you, for the lonely hacker!

I met the love of my life ...

[Musically_ut]

... when a malware tried to initiate a Skype call from my iPhone but misspelt the skype_id ^^

Why are you wanting to close this down generally?

[SuperKendall]

It's odd to me that so many people on Slashdot who complain about platform openness on the iPhone, are suddenly eager to close down a channel of functionality.

In reality, you want any app to be able to use a defined URL handler path without interdiction - imagine a flow of photo editing apps where you use two or three, it's already slightly jarring to switch apps, why would you want a system dialog in the middle of that flow for each call?

It really does make a lot more sense for some application that has a protected resource it allows custom URL handlers to activate, to place protection in front of that to be confirmed by the user - Apple does it with the call mechanism, any app that makes a call does prompt the user to confirm a call is desired. So Skype should in fact follow suit, but we should harm the flow of data between other applications in the system just because one app developer is a bit weaker on security.

Can you really call pay numbers via skype anyway? I would have thought that would cause skype to verify you really wanted to make a paid call, regardless of the number coming in via an outside source or the user typing it in... if you can't make a call on skype that costs anything, then securing it seems kind of moot since there'd be little point in an attack.

Re:Why are you wanting to close this down generall

[0123456]

In reality, you want any app to be able to use a defined URL handler path without interdiction

No I don't. In fact, I just want a web browser that's a web browser, and is completely lacking the ability to run arbitrary programs on the host machine.

Every time I hear about a URL handler exploit I wonder who the hell ever thought that it was a good idea.

This just in

[blueg3]

URL handlers handle URLs. Geeks are shocked.

Re:This just in

"Since applications on iOS run in full-screen mode, this can be an annoying and jarring experience for the user."

OMG malicious apps that can insecurely annoy me!

Re:This just in

[MichaelKristopeit162]

there hasn't been a geek on this site in years... more like "URL handlers handle URLs... marketeers attempt spin"

slashdot = stagnated

Not sure if it's worthy of a mention but

[joshier]

iTunes prompt for password just popped up when I loaded safari to visit slashdot homepage. iPod touch 4g

Thank you.

You have added the first rational comment to this conversation. There is no security flaw here. Browsers also handle certain URLs. Those may be malicious, also. Does that make the browser insecure? No. It is doing what it was designed to do.

Browser cannot run arbitrary applications

[SuperKendall]

No I don't. In fact, I just want a web browser that's a web browser, and is completely lacking the ability to run arbitrary programs on the host machine.

And that's what you have. The web browser can only launch apps where the app itself defines EXACTLY the URL schemes that it accepts, the app can only be launched if you use a link of the form the application expects - and then the application will be launched into a method explicitly built to handle that launch path.

The URL scheme is a great way for applications to transfer data between themselves, as in the example I gave where a photo can be transferred between a few different photo editing applications. We have only one instance here where THEORETICALLY it could be a problem that a web link can trigger a skype call, even though no-one has yet laid out the path where that costs the user any money without interdiction (does the Skype app really let you call pay numbers that are entered even by hand? That seems like an issue by itself).

Anonydude

Apple has all the right in the world to say they aren't responsible for security... The Walled Garden ain't what she used to be. Jailbreak is legal. How can they be held responsible for what happens once it leaves the factory?

Disclaimer: I got No Apple Nada.

What's wrong with URL schemes? They are secure.

[SuperKendall]

URL schemes are secure as they are. Applications have to define a scheme they will support; you cannot open just any application. Then when the app is launched it goes through a specific method built to handle parsing the specific URL that the application itself asked be used to launch. I don't see the security risk, at all.

Even in the case of Skype, what harm can an attacker really do? The worst I could see would be calling an expensive pay number. But wouldn't Skype have a built-in warning around that generally no matter how such a number was called? Shouldn't it? That's why protection of something that can cost real money would seem to be in the domain of the application itself to protect, because Apple cannot know all the possible input paths that trigger money to be spent.

How could it make sense for the OS to handle this?

[sco08y]

As an iOS developer - I kind of agree with Apple. I write apps which register URL handlers - and when one clicks on on - I make the *user* validate that this is what they really want to do.

Another way of looking at it: if you've got an app that accepts an URL handler, do you want a braindead OS policy of asking the user for permission every time? Especially when the OS would likely have to ask, "do you wish to open foobar://1233453987039 with Metapie?"

The only way to avoid that would be for the app to register an URL evaluator and an URL security policy, at which point you may as well just have the app make the decision. It doesn't make any sense for this to be handled at the OS level.

different expectations

It's funny how, if you unwrap your new Dell PC and find the keyboard too mushy, it's Microsoft's fault, but when there's an exploit on iOS in an ecosystem where each and every app is approved and sold by Apple, then "the onus is on the third party developer".

Re:different expectations

[Wovel]

Of course there is no exploit.. Neato try though.

Re:Why are you wanting to close this down generall

Its not the openness they are complaining about, its the hypocrisy.

Re:The Kristopeit family saga.....

[sempir]

Is this a private family duff up...or can we all join in?

Re:What's wrong with URL schemes? They are secure.

[Culture20]

But wouldn't apple have a built-in warning around that generally no matter what app was called? Shouldn't it? That's why protection of something that can do generic stuff would seem to be in the domain of the initiating application to protect, because Apple cannot know all the possible input paths that trigger damage, so they should defer to the end user (thinking human), not Steve Jobs' Perfect Algorithm.

FTFY

Re:Why are you wanting to close this down generall

[SuperKendall]

Where is the hypocrisy? The only hypocrisy I see evident is people attacking apple for being too closed at the same time they claim they are too permissive.

Apple can't have it both ways.

If they want full control of what you can run on your won hardware then they bear full responsibility for the problems.

It is simple common sense, but as we know, Apple fanboys lack this when it comes to talk about their shinny gadgets.

That's convenient.

I like how when they are explaining why they don't allow flash, or don't allow sideloading apps, or any of their other restrictive policies it's because they are doing it for the safety and wellfare of their users. But when someone points out an OBVIOUS problem, well, we just figure the devs have got it.

With SO many restrictions on what will and will not pass muster in the app store approval process, why not just require anyone with a protocol handler to request authorization?

Pretty weak response that undermines their position on a LOT of their policies, not that anyone here is surprised to find out that their controls are really about THEIR control and not just doing what is best for the average user.

OT: I really need to remember my stupid login. :(

Indefensible

[cforciea]

I don't get how Apple's position in this is defensible. The whole iOS platform is sold as a locked down walled garden that, and I quote, "just works." This specific incident demonstrates two things to us:

1.) The application approval process doesn't actually protect us as users. We've all known this for a while, and by itself it actually isn't that big a deal.

2.) Apple's bottom line is the only thing the walled garden is protecting. If an application gets through the approval process but turns out to actually have a security flaw, that shouldn't be a big deal in a controlled market environment because you can either pull the application or change the environment to mitigate the issue. That obviously is not what is happening.

So yes, for those of you who are asking, we are actually upset that the iOS platform is both too closed and too permissive. We're complaining because it is closed in all the ways that hurt the consumer and yet isn't closed in any of the ways we were told it would help us. It is the worst of both worlds.

Re:Indefensible

[Wovel]

I don't get how Apple's position in this is defensible. The whole iOS platform is sold as a locked down walled garden that, and I quote, "just works." This specific incident demonstrates two things to us:

1.) The application approval process doesn't actually protect us as users. We've all known this for a while, and by itself it actually isn't that big a deal.

2.) Apple's bottom line is the only thing the walled garden is protecting. If an application gets through the approval process but turns out to actually have a security flaw, that shouldn't be a big deal in a controlled market environment because you can either pull the application or change the environment to mitigate the issue. That obviously is not what is happening.

So yes, for those of you who are asking, we are actually upset that the iOS platform is both too closed and too permissive. We're complaining because it is closed in all the ways that hurt the consumer and yet isn't closed in any of the ways we were told it would help us. It is the worst of both worlds.

You are apparently upset about nothing at all. What are you suggesting Apple should do? Pull the Skype app? Maybe, but it is not a big security hole, it does not happen in the background. You seem to be upset about a problem that does not exist. It is almost like you were looking for a reason to rail against apple. Oh that is what you were doing.

NM

Re:Indefensible

[cforciea]

Yes, if you are trying to sell me on your ability to moderate my user experience for my benefit, you have to actually protect me from security issues. If you can't figure out a way to change it from the OS end, you pull the app until they fix it themselves. If the only apps you actually pull from your app store are because they compete with one of your other services, I have no use for your app store.

Apple does not want to follow their own rules

iTunes uses the itms: url scheme. Apple does not want either Safari or iTunes to alarm their users by warning them, or making them vouch for the use of iTunes.

The same lack of warnings about url schemes exists on OS X, and there I see that Opera, Chrome, and Firefox issue warning dialogs asking you to approve the call to the handler. Only Safari play dumb and blindly calls the external app.

And suppose the url scheme handling software really was malicious? Would Apple tell their exploited users, too bad that malicious app didn't solicit your approval. Bad app!

To suggest this is the external app's responsibility is utterly foolish.

Re:Apple does not want to follow their own rules

[Wovel]

They are not saying you should warn for every link. Only that you should warn if you are going to do some that um requires a warning...Just opening the itms to display an app is not a dangerous activity, it would be beyond annoying to prompt for that.

Re:Apple does not want to follow their own rules

It is not annoying. It happens once, assuming the user grants approval persistently. The browser (Opera, Chrome, FF,...) records the approval and never prompts again if you tell it not to.

Again, this choice by Safari needs to be compared with the same choice by other browsers, both on iOs and OS X. And the comparison is clear. Only Safari is trusting. Other browsers are not -- and for good reason. Again, if the handler really were malicious, would it be expected to warn the user? Of course not. There is no possible way for the browser to know if the handler is trusted or not, so the only safe and sane (and not terribly effective) way to handle this is for the browser to prompt for approval.