DOC RABE Media - Fotolia
A researcher found that mobile apps with Apple's WebView embedded into them are vulnerable to denial-of-service attacks and phone calls initiated by attackers. An individual has been arrested for tweeting an exploit that resulted in a flood of calls being made by those who clicked on it to 911 emergency call centers. How does WebView work, and how are attackers taking advantage of it?
The WebKit framework that Apple uses allows iOS developers to display web content and implement common browser features, such as following hypertext links when clicked by the user and managing a history of pages visited recently. It greatly simplifies the complicated process of loading webpages.
WebView is the core view class in the WebKit framework, and it is used by many apps, such as Twitter and LinkedIn, as it can style and render content very efficiently.
There have been various vulnerabilities discovered in the WebKit framework over the years, and one that was reported to Apple by researcher Collin Mulliner back in 2008 appears to have resurfaced. The vulnerability allows an attacker to initiate phone calls to numbers of their choosing.
The WebKit framework vulnerability is trivial to exploit; an attacker only needs the victim to visit a site hosting a few simple, but malicious, lines of HTML code that redirects them to a Uniform Resource Identifier for telephone numbers (tel URI).
The vulnerability is due to poor programming, combined with weak WebKit framework defaults and a possible bug with the handling of tel URIs. Due to its ease of exploitation, app developers that use WebView to display content should review their code and ensure that it is not vulnerable to this attack as soon as possible. Note that apps that open links in the Safari or Chrome mobile apps are not vulnerable. There should be code within an app that checks the URL schema before executing it, and that shows the user a pop-up dialog before executing a tel URI or opening another app on the device.
Until there are app mitigations against this attack, and Apple changes the default behavior of WebView, malicious or compromised sites can exploit this vulnerability to force a victim's phone to dial premium rate numbers; launch denial-of-service attacks, like the attack against the 911 service; or obtain the user's phone number.
Learn the basics of developing an iOS application
Find out how a bug in the Signal app allowed for the alteration of encrypted attachments
Read how the Instagram app can be turned into C&C infrastructure
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.