Remember that big security flaw in Android that could allow nefarious sites to trigger phone calls to premium-rate phone numbers, potentially costing you huge amounts of money before you even realize something is wrong? Well, it turns out that a similar flaw exists in iOS, and iPhone users are at risk as well.
Andrei Neculaesei, a developer at Copenhagen-based wireless streaming company Airtame, has discovered that many popular iOS applications include functionality that could be exploited to trigger premium-rate calls on any iPhone.
“When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts,” Neculaesei wrote in a post on his blog. “When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.”
He continued, “So if I click the link in Safari I get the prompt asking me to confirm my action, if I click the link in a native app’s webView it doesn’t ask and performs the action right away (makes the call).”
Neculaesei noted that hugely popular apps including Facebook, Twitter, Google, LinkedIn, Facebook Messenger and Google+, Gmail and FaceTime are all vulnerable to this flaw.