Slashdot Mirror
Malicious Websites Can Initiate Skype Calls On iOS
An anonymous reader writes "In this article, security researcher Nitesh Dhanjani shows how iOS insecurely launches third-party apps via registered URL handlers. Malicious websites can abuse this to launch arbitrary applications, such as getting the Skype.app to make arbitrary phone calls without asking the user. Dhanjani 'contacted Apple's security team to discuss this behavior, and their stance is that the onus is on the third-party applications (such as Skype in this case) to ask the user for authorization before performing the transaction.' He also discusses what developers of iOS apps can do to design their software securely and what Apple can do to help out."
Whether or not a similar problem exists in competing products is beside the point. Nobody pretends competing products are implicitly secure straight out of the box. Apple fans pretend exactly that.
Or do you think that it's OK that your walled garden iOS product can make calls (potentially to expensive toll numbers) without any prior warning, simply by visiting a malicious website -- and that Apple doesn't think that's a problem?
As an iOS developer - I kind of agree with Apple. I write apps which register URL handlers - and when one clicks on on - I make the *user* validate that this is what they really want to do. The same kind of exploits could be done on PCs - if you had a URL handler - like "SSH" which blindly allowed a third-party URL-click to launch SSH on your PC and log into a site - or even to do the same thing with *skype* URLs. Has anyone verified if these kind of behaviors would or would not happen on a PC or Linux machine?
Here is how it will go down:
First, Apple say this is an app issue, and app vendors need to fix it. They will dig their heals in and effectively say "screw you" to all their loyal customers.
Then, in the next iOS update (or the one after, if the next update is scheduled to be too soon) there will suddenly be a prompt for launching applications via registered URL handlers, possibly with some hype about how Apple is looking out for you, but not necessarily.
When confronted about the dichotomy between their two positions, Steve Jobs will simply reply "Apple is always concerned about the security of our customers, of course we would want to protect them from these kinds malicious attacks." All the while giving the reporter a befuddled look, as if to suggest the reporter is crazy for even asking such a stupid question.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
It's not just Skype, that was just an example.
ANY app can be opened this way.
It's definitely Apple's problem. Skype could have been really awesome fixed the problem on their end, but that would not have solved the problem for the 200,000 other apps that can be launched this way.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
URL handlers handle URLs. Geeks are shocked.
Yeah, the fix should be simple. Add this to the list of requirements for apps and don't approve any that don't implement it.
The fix _IS_ simple. "This website is attempting to open XYZ.app. [ ]Allow? [X]Deny?"
So the curated iOS apps really then are the same as any other "Open" platform apps that user can download and install themselves. The only difference of course is that Apple get their 30% and are in a better position to control their platform - all nicely in the name of the user benefits!
You beat me to it, the "quality, security and support" arguments for curated app stores are DEAD now. Quality was a stillborn argument, security was quickly disproven, and now this support is the last nail in the coffin. When it came time for Apple to put their money where their mouth is, they offered a level of support that would only be acceptable for an amateur FOSS project (basically none, much like the weeks when the PDF exploit used by jailbreakme.com went unpatched) - except you can't even fix it yourself. And you're paying game console prices.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I really fail to see how it is Apples fault that a third part App does something.
When you require that EVERY application that can run on your platform be approved by your personnel for sale, I'd say that you bear some (though by no means all) responsibility for the application's behavior.
What part of "shall not be infringed" is so hard to understand?
Here is how it will go down:
First, Apple say this is an app issue, and app vendors need to fix it. They will dig their heals in and effectively say "screw you" to all their loyal customers.
Then, in the next iOS update (or the one after, if the next update is scheduled to be too soon) there will suddenly be a prompt for launching applications via registered URL handlers, possibly with some hype about how Apple is looking out for you, but not necessarily.
When confronted about the dichotomy between their two positions, Steve Jobs will simply reply "Apple is always concerned about the security of our customers, of course we would want to protect them from these kinds malicious attacks." All the while giving the reporter a befuddled look, as if to suggest the reporter is crazy for even asking such a stupid question.
After this, Apple users on Slashdot will defend Steve Jobs. They'll state this can happen on any operating system, and that it is not Apple's responsibility. Then they're say how they are immune to viruses. They'll rejoice when they get their new version of Safari, which is limited to Apple's pre-approved sites.
Then their call will cut out, their screen will break, and their data will disappear. Steve Jobs will tell them that they are "holding it wrong". Apple fans will then bend over and take this abuse, at a personal cost of $4000.