updated 04:48 pm EDT, Mon August 25, 2014
Major apps identified as culprits
A number of iOS apps -- including Facebook Messenger, Gmail, and Google+ -- have a security vulnerability that could allow malicious parties to force an iPhone to auto-dial, observes Romanian developer Andrei Neculaesei. iOS supports a tel:// URI that can make a call automatically, even though developers are allowed to bypass confirmation prompts for the dialer if they want. Through a vulnerable app and the right web code, a person could potentially be tricked into dialing a toll number. A FaceTime variant could let someone capture images of a person before disconnecting.
Neculaesei suggests that the problem lies with developers and not Apple, since documentation explains the situation and identifies how apps can be configured to display warning prompts. "While I only tested on a few apps which are big names, it is safe to assume that the smaller teams and platform haven't even thought about preventing this," he adds.