Andrei Neculaesei, a full-stack Copenhagen based developer, has thrown his hat into the mobile app security debate by expressing concern regarding poorly implemented security relating to URI schemes within many popular apps. Neculaesei believes that the fact that many developers neglect to implement vital security measures within their apps could potentially lead to unwitting users falling victim to malicious services that could, in theory, invoke expensive phones calls on the device being used.
It’s highly likely that the majority of mobile app users have come across a URI scheme at some point during their mobile usage. It’s also highly likely that individual users don’t actually relate the end action with what’s going on in the app’s underlying code.
Uniform Resource Identifiers, or URIs, are frequently used within native mobile apps to trigger a specific action. An example of this could be tapping on an email address to invoke the Mail app in iOS, or tapping on a phone number in Mobile Safari to initiate a phone call to that number using the Phone app.
In many parts of iOS, Apple actually displays a user-facing alert to request permission to carry out the action. Click on a phone number within Mobile Safari and you’ll get a prompt asking if you wish to make a phone call. It’s most definitely classed as an "opt-in" action, with Apple asking for explicit permission from the user to perform the action. However, Neculaesei rightly points out that not all developers implement this permission request, with a number of popular apps like Facebook Messenger, Apple’s own FaceTime and Google’s G+ app all making the call regardless.