iOS WebView auto dialer bug |

"TL;DR: iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone's UI for a short amount of time and therefore prevent the victim from canceling the call."

News of a bug that causes an iPhone to repeatedly call 911 reminded Mulliner of a flaw in reported to and patched by Apple in Safari for iPhone almost eight years ago. In re-opening his investigation, he found that clicking a link in an app that displays content in an embedded WebView could force a device to automatically call a phone number (without asking the user for approval). While a user can quickly cancel a call, Mulliner's proof-of-concept demonstrated launching another app in front of the call to hide it from a user. A malicious individual could use this method to share links in an app that when clicked, automatically dial a 1-900 number they control to then rack up charges against the user. Let this be a reminder to make sure you're following security best practices when implementing WebViews in mobile apps.


Want to receive more content like this in your inbox?