Malicious URLs Pose Mobile Hijacking Risk

The security of mobile devices may be at risk for Web borne attacks because of loose policies for processing URLs (Uniform Resource Locators), according to a report by security researcher Nitesh Dhajani.

The security of mobile devices may be at risk for Web borne attacks because of loose policies for processing URLs (Uniform Resource Locators), according to a report by security researcher Nitesh Dhajani.

Writing on the SANS Application Security Blog, Dhanjani said that that way the iPhone’s operating system, iOS, handles different URL formats could allow a remote attacker to launch a Web based attack that forced the phone to perform unauthorized actions, including phone calls, chats, or even transactions.

The problem stems from the way iOS treats application specific URL schemes. These include Web page elements like phone numbers, mail links, YouTube or iTunes links. For such elements, the iPhone iOS is programmed to handle those links securely. As an example: clicking on a phone number link in a Web page results in the user being prompted to approve the call before it is initiated.

Dhanjani observed that
outside the small number of default URL schemes supported by iPhone,
handling of URL content falls to third party application developers. And
that’s where things get dicey.

As an example, he notes that clicking a link for a Skype phone number on a Web page would not result in the user being asked to approve the call before it was initiated, even though the end result – making a phone call from your iPhone – is no different.

In fact, parsing of the Skype URL is performed by the application, in code.That makes it impossible for Apple to police URLs accessed on the iPhone or to enforce proper formatting for Skype URLs. And that opens the door to application-based attacks.

Of course, unauthorized Skype calls or chats might not constitute an enormous security risk. But Dhanjani notes that there are many applications with their own URL schemes for the Safari browser, including a Facebook application, a GPS location application, as well as credit card processing and auto check deposit applications.

Fixes for the problems posed by insecure URLs on iPhone aren’t simple. Apple could require application developers to register custom URL schemes for iPhone iOS compatible applications. That would allow Apple to do integrity checking and prompt iPhone users for approval before launching the associated application. Making URL schemes viewable on iPhones could also allow users (and their employers) to understand which links will prompt specific responses or actions by their phone and restrict access to certain kinds of high risk URLs.

Security researchers are turning their attention, more and more, to mobile devices including iPhone and Google’s Android, as more and more sensitive data and applications accrue to such devices. At the recent ToorCon hacking conference in San Diego, researcher Eric Monti of TrustWave’s SpiderLabs said that a false sense of security may be the biggest danger posed by mobile devices, which have come to resemble pocket sized PCs – running variants of Windows, Linux and OSX – more than “phones.”

Suggested articles