Skip to content

November 10, 2010

iPhones Make Automatic Skype Calls

A researcher has found that iPhones can be duped into making Skype calls without first prompting the user. This is due to the way that iOS handles URL Schemes, which are used by applications to launch other applications. Just like http:// tells safari to open the specified website, tel:// informs the phone app to call the specified number. For the key built-in calls, such as tel://, the user is prompted to make sure the action is intended.

Some applications define their own URL Schemes, and Skype is one such app. However these third party apps do not ask for permission before performing actions defined by that URL. This potentially allows websites to track iPhone users (via the Mobile Safari User Agent), and then embed an invisible iframe that forces Skype to open (if installed) and call the number.

<iframe src=”skype://1900expensivepremiumnumber?call”></iframe>

This is just one example of how this can be abused, and there are many other apps which may define their own URL Schemes.

There are two ways this should probably be fixed. Apple should prompt the user before switching to the app specified by the URL Scheme. So in the case of the iframe above, iOS would pop up a warning saying: “This website wants to open Skype”, and the user could click on Ok/Cancel. Secondly, but in some ways more urgent, third party app developers should prompt the user before performing actions based on a URL.

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments