INSECURITY EXPERT Nitesh Dhanjani has outlined a series of concerns he has with Apple's IOS in the Sans security blog.
While the operating system has been getting popular, Apple has not done much to improve the security system, which is essentially faith-based.
Dhanjani said that he is concerned that the methods of how URL schemes are registered and invoked in Ios are not up to scratch.
The URL Protocol Handlers can be invoked by the Safari browser and Apple has listed the default URL Schemes that are registered within Ios. For example, the tel: scheme can be used to launch the phone application.
Unfortunately this means that a malicious website could launch the Iphone application without permission.
If the user has Skype.app installed and has launched Skype in the past and cached the user's credentials, then without warning Safari yanks the user into Skype which immediately initiates the call.
"The security implications of this is obvious, including the additional abuse case where a malicious site can make Skype.app call a Skype-id who can then uncloak the victim's identity by analyzing the victim's Skype-id from the incoming call," Dhanjani says.
Apple's stance on the problem is to blame third-party software, which it claims should ask the user for authorisation before performing the transaction.
However third party applications can only ask for authorisation after the user has already been yanked out of Safari. A rogue website, or a website whose client code may have been compromised by a persistent XSS, can yank the user out of the Safari browser. Since applications on Ios run in full-screen mode, this can be an annoying and jarring experience for the user, Dhanjani said.
A simple answer is for Apple to allow third party applications the option of registering their URL schemes with strings for Safari to prompt and authorise prior to launching the external application.
Apple could audit the security implications of registered URL schemes as part of its App Store approval process. µ