170
Hacking Exposed: Mobile Security Secrets & Solutions
Figure 6-8 The dialer application on Android triggered by the tel URI scheme
URL, as shown in Figure 6-9. From a security perspective, requiring additional user interaction before actually calling the phone number provided in the URL is the correct action to take. Plenty of applications use custom URI schemes (handleopenurl.com/ currently lists over 600 custom URI schemes for iOS), but do they use them securely? <html> <body> <iframe src="tel:5555555555"></iframe> </body> </html>
Abusing Custom URI Schemes via Skype In 2010, Nitesh Dhanjani documented that the Skype application for iOS supported a custom URI scheme (skype) but failed to prompt the user before performing actions such as dialing a phone number assuming the userâ&#x20AC;&#x2122;s credentials were cached. Therefore,