Welcome, visitor! [ Register | Login||

SEARCH

Beware, mobile applications can make expensive phone calls at victim’s expense

ByinTips & Guides | October 13, 2014

Safe fail in mobile aplicationsThere’s another way the smartphone users can be nastily cheated. The Copenhagen developer has recently found out how smartphone applications can dial expensive numbers automatically without user’s knowledge. What’s worse, the all calls are made on the unconscious victim’s expense. The developer tested most widespread apps, and all of them failed in passing the security test so from now every smartphone user should be more careful.

One more way the smartphone users can be nastily cheated.

Mobile Apps.You probably know that phone numbers often occur on the mobile devices in the form of links. It happens due to the use of URI (Uniform Resource Identifier) scheme to start calls. URI schemes are descriptions that can tell your device the way to a certain resource. You can click on e-mail address in order to open a mail application, this is in short how URI schemes operate in practice.

Andrei Neculaesei, a developer with the Danish wireless streaming company called “Airtame” is the one who discovered the risk connected with how the most popular native apps deal with dialing phones numbers.

If you are an iPhone user you can feel relatively safe. Since the Apple’s browser Safari when showing you the phone number as a link always asks whether you like to make a call. But, it should be mentioned that this applies only to the use of Safari, when you click the link in the native app’s webView, the system, instead of asking you for confirmation, performs a call almost immediately.

According to the test conducted by Neculaesei, big-names apps like Facebook Messenger, FaceTime, Gmail and Google+ won’t ask for you permission when making a call. Although most mobile apps can display the question about confirmation, in most apps the function is simply turned off. Neculaesei tested only several most popular apps, but he says it’s hugely probable that smaller companies haven’t noticed the risk just as well.

The developer presented on his blog how it works on the basis of self-created web page containing a JavaScript that forced a mobile app to make a call after you merely view the page. The malicious JavaScript automatically launches the phone number’s URI when the page is opened. Neculaesei also wrote that there’s a big risk that someone could create a similar link, connect it with premium-rate number and use the method for financial benefits.

What’s interesting Neculaesei findings perfectly fit to the thesis of Guillaume K. Ross, an information security consultant in Montreal, who at the Bsides security conference in Las Vegas also proved that URI scheme can be a tool by the means of which we can lose data or our privacy may be violated.

So far, Facebook and Google haven’t released official comments on the issue.

source: Guilaume K. Ross (Video)

Find out more:

  

Latest News

Leave a Question, Comment or Review