DOC RABE Media - Fotolia
A researcher found that mobile apps with Apple's WebView embedded into them are vulnerable to denial-of-service attacks and phone calls initiated by attackers. An individual has been arrested for tweeting an exploit that resulted in a flood of calls being made by those who clicked on it to 911 emergency call centers. How does WebView work, and how are attackers taking advantage of it?
The WebKit framework that Apple uses allows iOS developers to display web content and implement common browser features, such as following hypertext links when clicked by the user and managing a history of pages visited recently. It greatly simplifies the complicated process of loading webpages.
WebView is the core view class in the WebKit framework, and it is used by many apps, such as Twitter and LinkedIn, as it can style and render content very efficiently.
There have been various vulnerabilities discovered in the WebKit framework over the years, and one that was reported to Apple by researcher Collin Mulliner back in 2008 appears to have resurfaced. The vulnerability allows an attacker to initiate phone calls to numbers of their choosing.
The WebKit framework vulnerability is trivial to exploit; an attacker only needs the victim to visit a site hosting a few simple, but malicious, lines of HTML code that redirects them to a Uniform Resource Identifier for telephone numbers (tel URI).
The vulnerability is due to poor programming, combined with weak WebKit framework defaults and a possible bug with the handling of tel URIs. Due to its ease of exploitation, app developers that use WebView to display content should review their code and ensure that it is not vulnerable to this attack as soon as possible. Note that apps that open links in the Safari or Chrome mobile apps are not vulnerable. There should be code within an app that checks the URL schema before executing it, and that shows the user a pop-up dialog before executing a tel URI or opening another app on the device.
Until there are app mitigations against this attack, and Apple changes the default behavior of WebView, malicious or compromised sites can exploit this vulnerability to force a victim's phone to dial premium rate numbers; launch denial-of-service attacks, like the attack against the 911 service; or obtain the user's phone number.
Learn the basics of developing an iOS application
Find out how a bug in the Signal app allowed for the alteration of encrypted attachments
Read how the Instagram app can be turned into C&C infrastructure
Dig Deeper on Denial of Service (DoS) Attack Prevention
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading