The Inquirer-Home

Apple IOS is wide open

Insecurity expert concerned
Tue Nov 09 2010, 09:34

INSECURITY EXPERT Nitesh Dhanjani has outlined a series of concerns he has with Apple's IOS in the Sans security blog.

While the operating system has been getting popular, Apple has not done much to improve the security system, which is essentially faith-based.

Dhanjani said that he is concerned that the methods of how URL schemes are registered and invoked in Ios are not up to scratch.

The URL Protocol Handlers can be invoked by the Safari browser and Apple has listed the default URL Schemes that are registered within Ios. For example, the tel: scheme can be used to launch the phone application.

Unfortunately this means that a malicious website could launch the Iphone application without permission.

If the user has Skype.app installed and has launched Skype in the past and cached the user's credentials, then without warning Safari yanks the user into Skype which immediately initiates the call.

"The security implications of this is obvious, including the additional abuse case where a malicious site can make Skype.app call a Skype-id who can then uncloak the victim's identity by analyzing the victim's Skype-id from the incoming call," Dhanjani says.

Apple's stance on the problem is to blame third-party software, which it claims should ask the user for authorisation before performing the transaction.

However third party applications can only ask for authorisation after the user has already been yanked out of Safari. A rogue website, or a website whose client code may have been compromised by a persistent XSS, can yank the user out of the Safari browser. Since applications on Ios run in full-screen mode, this can be an annoying and jarring experience for the user, Dhanjani said.

A simple answer is for Apple to allow third party applications the option of registering their URL schemes with strings for Safari to prompt and authorise prior to launching the external application.

Apple could audit the security implications of registered URL schemes as part of its App Store approval process. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Apple announces the iPhone 6, iPhone 6 Plus and Apple Watch

Which of Apple's new products will you be buying?