Hacking exposed mobile

Page 199

170

Hacking Exposed: Mobile Security Secrets & Solutions

Figure 6-8 The dialer application on Android triggered by the tel URI scheme

URL, as shown in Figure 6-9. From a security perspective, requiring additional user interaction before actually calling the phone number provided in the URL is the correct action to take. Plenty of applications use custom URI schemes (handleopenurl.com/ currently lists over 600 custom URI schemes for iOS), but do they use them securely? <html> <body> <iframe src="tel:5555555555"></iframe> </body> </html>

Abusing Custom URI Schemes via Skype In 2010, Nitesh Dhanjani documented that the Skype application for iOS supported a custom URI scheme (skype) but failed to prompt the user before performing actions such as dialing a phone number assuming the user’s credentials were cached. Therefore,

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.