Qualcomm Mobile Security Summit 2017 San Diego, May. All talks are on mobile security - super strong lineup!
AppSec EU May 11-12, Belfast. How to steal mobile wallet? - Mobile contactless payments apps attack and defense. Fixing Mobile AppSec: The OWASP Mobile Project.
MOSEC June Shanghai. Pwning Apple Watch. (program not complete yet!)
OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.
For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.
Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.
Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.
execute USSD codes in iOS 10.2.xx --bug-Impact: Tapping a tel link in a PDF document could trigger a call without prompting the user #lol— Ravishankar Borgaonk (@raviborgaonkar) March 27, 2017
Android anti-debugging tricks can be patented? This is stupid in so many ways https://t.co/IjXfg45xoN— Bernhard Mueller (@muellerberndt) March 25, 2017
Anti Debugging fun Android Art
PageSwitch an exploit toolkit for the Nintendo switch
Ransomware scammers exploited Safari bug to extort porn-viewing iOS users
Increasing Android app security for freei (slides)
Looking Back at Android Security in 2016 by DuoSecurity
OWASP Mobile - Anti Reversing Checks
Android/Ztorg teardown - It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass
Owning OnePlus 3/3T with a Malicious Charger
The updated iOS Security Guide now covers iOS 10
iOS 10.3 fixes a large number of Kernel and WebKit bugs
Statistical Deobfuscation for Android (I suppose this is for Dex code only)
Hacking Android Apps with Frida (part 2)
Nexus 5X Owners Say Device Boot-Looping Kills Phones; Getting Runaround From LG
This American Surveillance Tool Helped Russians Spy On Androids And iPhones
Apple cracking down on developers who use SDKs like Rollout to update apps without App Store approval (Apple going after hot-patching frameworks)
Attacking Nexus 9 with Malicious Headphones
GSMA Coordinated Vulnerability Disclosure Program
gdrive-appdata: Tries to fetch the contents of the appdata hidden folder from Google Drive.
Harald Welte about TelcoSecDay 2017 @ Troopers
NDK changes for API level 26
O-MG, the Developer Preview of Android O is here!
Android API Differences Report
Frustrated by robo callers & an AT&T subscriber? Get the AT&T call protect app
Samsung commits to monthly security updates for unlocked US smartphones
Android phone market stats
20 bestselling mobile phones of all time
Android Kernel CVE PoCs
Mobile Malware Masquerades as POS Management App
Judge an Android malware scanner by rednaga.io (@timstrazz and @caleb_fenton)
The Art Of Bootloader Unlocking: Exploiting Samsung S-Boot (video from nullcon talk)
Having fun with Secure Messengers and Android Weari (slides CansecWest 2017)
Pwning the NExus of Every Pixel (slides CanSecWest 2017)
Injecting Metasploit Payloads into Android Applications
Receive FREE SMS online (number in various countries)
TrustZone An Attackers Perspective (slides)
Reverse Engineering Samsung S6 SBOOT - Part I
Letter to the FCC on SS7 Security by Ron Wyden
FCC: Legacy Systems Risk Reductions (it's about ss7)
Black Hat ASIA Singapore March 28-31. FRIED APPLES: JAILBREAK DIY by Alex Hude, Max Bazaliy, Vlad Putin. ANTI-PLUGIN: DON'T LET YOUR APP PLAY AS AN ANDROID PLUGIN by Cong Zheng, Tongbo Luo, Xin Ouyang, Zhi Xu. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi. 3G/4G INTRANET SCANNING AND ITS APPLICATION ON THE WORMHOLE VULNERABILITY by Guangdong Bai, Zhang Qing. MOBILE-TELEPHONY THREATS IN ASIA by Lion Gu, Marco Balduzzi, Payas Gupta. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky.
CanSecWest Vancouver Canada, March 15-17. Qidan He : Pwning Nexus of Every Pixel: Chain of Bugs demystified. Logic Bug Hunting in Chrome on Android by Georgi Hershey & Robert Miller.
Zer0Con Seoul, Korea April 13-14. Ian Beer : Through the mach portal.
OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers! April 21, Berlin. All about Osmocom!
HITB Amsterdam April 13-14. FEMTOCELL HACKING: FROM ZERO TO ZERO DAY by JeongHoon Shin. CAN'T TOUCH THIS: CLONING ANY ANDROID HCE CONTACTLESS CARD by Slawomir Jasek. EXTRACTING ALL YOUR SECRETS: VULNERABILITIES IN ANDROID PASSWORD MANAGERS by Stephan Huber, Steven Artz, Siegfried Rasthofer. HUNTING FOR VULNERABILITIES IN SIGNAL by Markus Vervier.
Opcde Dubai, UAE April 26-27. Practical attacks against Digital Wallet by Loic Falletta.
I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.
Some news from MWC (I didn't attend):
First the BlackBerry KEYone a new Android-based phone with a physical keyboard. Other then the BB Priv the KEYone's keyboard is fix and doesn't slide. Movable parts are really not a good idea, they break way too fast. In my opinion this device looks super solid and likely will be supported longer than the average flagship phone from other manufacturers (data on this would be awesome).
Nokia released 3 new Android phones the 3 (MTK), 5 (QCOM) and 6 (QCOM). The phones seem to run Android N without any modifications or vendor crap. Very low price (230Euro for the 6). The bottom of their website specifically says: You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security. that is what you should expect in 2017.
The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!
Xiaomi launching own SoC for Android phones-upgradable baseband with fake base station detection capabilities. IMSI catchers r threat now ;) pic.twitter.com/S0hzDBIiQd— Ravishankar Borgaonk (@raviborgaonkar) March 2, 2017
Apple 0day is expensive. https://t.co/F1UEUU0s3r— Collin Mulliner (@collinrm) February 22, 2017
MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.
The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.
They talk about Android, Defcon, and backdooring your repo? ;-)
Pic of the month:
ENISA: Smartphone Secure Development Guidelines
Android Security Bulletin - March 2017
Android Security Bulletin - February 2017
Vault 7: CIA Hacking Tools Revealed
Multi-BTS with Osmocom and a single UmTRX
Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis Paper and Tool
Booting into fastboot mode Instructions for all Nexus devices
TROOPERS17 GSM Network - How about your own SMPP Service?
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models paper
Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)
Android ransomware requires victim to speak unlock code
Hacking Android phone. How deep the rabbit hole goes.
Sunny with a chance of stolen credentials: Malicious weather app found on Google Play 5k installs via Google Play!
iOS keychain items used to persist after app uninstall. As of iOS 10.3 beta 2, deleting app deletes keychain items via @hubert3
SunShine 3.4.27 is out - Bringing unlock support for Droid Turbo on 6.0.x
Cellular re-broadcast over satellite
Identifying Rebroadcast (GSM) also linked in post above
ios-triage - Node.js cli for iOS incident response. Program will extract, process and report (including diffs) on iOS device and app telemetry.
Remote control: Companies blur lines over who owns devices
Shodan.io iOS App
Analysis of iOS.GuiInject Adware Library
Patching and Re-Signing iOS Apps
Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection
Android ransomware repurposes old dropper techniques
Deobfuscating libMobileGestalt keys
Samsung: Stack buffer overflow in OTP TrustZone trustlet
How easy it would be to hack Trump's phone by my friend Zach aka @quine
iOS 10.2 Yalu Jailbreak Now Supports All 64-bit Devices except iPhone 7 and iPad Air 2
Android bootloader (aboot) parser
Tracking Android Security Update across Devices
SAMSUNG KNOX 1.0 ECRYPTFS KEY GENERATOR WEAK ENCRYPTION
Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java
Black market Blackphones get sent a kill message that bricks them
iOS/MacOS kernel memory corruption due to userspace pointer being used as a length
Update on the Fancy Bear Android malware (poprd30.apk)
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (paper)
Charger Malware Calls and Raises the Risk on Google Play
Secrets leak in Android apps online service to test APKs
26 security issues in major Android password manager apps
Easy 4G/LTE IMSI Catchers for Non-Programmers (paper)
App-in-the-Middle Attack Bypasses Android for Work Secure Framework
Android FRIDA: Add support for enumerateLoadedClasses() on ART
Android: Inter-process munmap in android.util.MemoryIntArray
Owning a Locked OnePlus 3/3T: Bootloader Vulnerabilities
Binary based obfuscation in a way of CTF kids. We obfuscate your apps, support both iOS/Android.
Android (Huawei) privilege escalation in EMUI keyguard app via loading shellcode in theme pack
The Story of Firefox OS
The European Union Agency for Network and Information Security (ENISA) asked Ioannis Stais, Vincenzo Iozzo, and myself to update their guidelines for secure smartphone app development. The result is not much of an update but an entire rewrite of the guidelines. It was a fun project to do and I think all parties involved in the project are proud of the final result.
The Smartphone Development Guidelines website provides a brief overview of the effort. The actual document can be downloaded here Smartphone_development_Guidelines.pdf
I would like to thank everybody again who helped on the project the project coordinators at ENISA and everybody who reviewed the document and provided feedback!
Recon Brussels Brussels, 27-29 January. Analyzing iOS apps: road from AppStore to security analysis report by Lenar Safin, Yaroslav Alexandrov, Egor Fominykh, Alexander Chernov.
31CON Auckland NZ, 23-24 February. RAVISHANKAR BORGAONKAR (UK): PRIVACY ISSUES IN 4G. PHILIPPE LANGLOIS (FRANCE): something about mobile networks.
Android Security Symposium 2017 Vienna Austria, March. Many interesting talks.
Troopers Heidelberg, Germany. March. Hunting For Vulnerabilities in Signal by Jean-Philippe Aumasson, Markus Vervier. Samsung Pay: Tokenized Numbers, Flaws and Issues by Salvador Mendoza.
TelcoSecDay @ Troopers It's no use crying over spilled 2G,3G,4G - what we need to fix in 5G. Outlook on 5G security from 3GPP perspective. Automated large-scale detection of rogue base stations: A field report. Exploring fraud in telephony networks, an illustration with Over-The-Top Bypass.
Infiltrate Miami, FL. March. Jean-Philippe Aumasson, Markus Vervier: Hunting For Vulnerabilities in Signal. Georgi Geshev, Robert Miller: Logic Bug Hunting in Chrome on Android. Marco Grassi, Liang Chen: Remotely Compromising a Modern iOS Device. Vasilis Tsaousoglou, Patroklos Argyroudis: The Shadow over Android: Heap exploitation assistance for Android's libc allocator. Ralf-Phillip Weinmann: Did I hear a shell popping in your baseband?.
CFPs backdoor story is just bad and will drive users away from a secure messaging app (maybe even the biggest install based of all of them). Zeynep Tufekci wrote an open letter to the Guardian to have them update the story. Moxie also wrote a blog post about these claims. The Guardian should have asked people with the technical expertise for advice before publishing the story.
AT&T 2G network shutdown happened on Dec 31 2016
AndroidXRef is looking for sponsors!
The mobile talks from 33c3 are all totally worth watching (no particular order):
Dissecting modern (3G/4G) cellular modemsPics of the month:
Downgrading iOS: From past to present
Geolocation methods in mobile networks
Shut Up and Take My Money! The Red Pill of N26 Security
Code BROWN in the Air. A systemic update of sensitive information that you sniff from pagers
Samsung Android Security Updates for January
Secure boot and image authentication in mobile tech (white paper)
Practical Android Debugging Via KGDB
We reverse engineered 16k apps, here's what we found (hardcoded secrets mostly) they also have an online tool
Very detailed description of hacking the Kyocera KC-S701(Russian)
LG G3 Arbitrary File Retrieval from Cloud Services
Trojanized Photo App on Google Play Signs Up Users for Premium Services
OnePlus 3/3T Bootloader Vulnerability Allows Changing of SELinux to Permissive Mode in Fastboot
Qualcomm releases whitepaper detailing pointer authentication on ARMv8.3 (whitepaper)
IoT mode fuzzing with OpenBTS
buy a BlackPhone for 120 Euros
Security conferences in 2017
Summary of Critical and Exploitable iOS Vulnerabilities in 2016
Switcher: Android joins the attack-the-router club
Cyanogen's Services Will Be Shutting Down (the commercial part of CyanoGen mode)
V3SPA: An Open Source Tool for Visually Analyzing and Diffing SELinux/SE for Android Security Policies
Project Zero exploit for iOS 10.1.1
OWASP Mobile Security Testing Guide (Work in Progress)
Android Banking Trojan Source Code Leaked Online, Leads to New Variation Right Away
A theme pack got you pwned with system privilege on Huawei's EMUI
Google Rolls Out Instant Apps Feature For Android: Download And Run Apps Without Installing Them
Open source 3GPP LTE library
fastboot oem sha1sum
Automating iOS blackbox security scanning (slides)
Meitu Android App TearDown
Hooking Android System Calls for Pleasure and Benefit
iOS9 iCloud backup retrieval proof of concept
Pixel bootlaoder exploit for reading flash storage
Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes
Wap Push bugs in Samsung Android phones
Virulent Android malware returns, gets >2 million downloads on Google Play
HIJACKING WHATSAPP ACCOUNTS USING WHATSAPP WEB
Security Analysis of the Telegram IM (a Master's Thesis)
Android Security Bulletin - January 2017
Classification of Smartphone Users Using Internet Traffic (paper)
LG posts January security bulletin ahead of Google with Android and LG-specific patches
Analysis of multiple vulnerabilities in AirDroid
Android banking Trojan asks victims to send selfies with ID cards
A Whale of a Tale: HummingBad Returns
iOS Dropbear SSH
33c3 Hamburg, Germany 27-30 December. Downgrading iOS: From past to present by tihmstar. A look into the Mobile Messaging Black Box by Roland Schilling and Frieder Steinmetz. Dissecting modern (3G/4G) cellular modems by LaForge and holger. Geoloation methods in mobile networks by Erik.
Shmoocon Washington D.C. January. A Context-Aware Kernel IPC Firewall for Android - David Wu, Sergey Bratus.
Black Hat ASIA March 2017. FRIED APPLES: JAILBREAK DIY by Alex Hude and Max Bazaliy. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi.
I had to skip the November update due to a long overdue vacation. Playing with iOS webviews also did cost some time. Writing this blog becomes more and more time consuming since for some parts I would rather spent time on research than writing about other peoples research. Will see next year if I continue doing this or not. I'm doing this since January 2009 so it has been a few years.
Opcde ConferenceSamsung confirms it will render the US Note 7 useless with next update since the owners don't seem to care to return the phones to Samsung even tho they would get a replacement device. This is kind of hilarious.
Browser based iOS 9.3.x jailbreak (64bit only) it has been a while.
Chinese company installed secret backdoor on hundreds of thousands of phones
Here is the BLU R1 blind system command execution via Adups from July of this year - anyone think they care? pic.twitter.com/veUMGD8zSy— Tim Strazzere (@timstrazz) November 22, 2016
Recently the topic of SMS 2FA came up again. While I agree that SMS is not the most secure version of 2FA it is far far better then not providing any 2FA mechanism for your service.
Seems like the right ordering, but when deployment is 98% < 2% < .5% < .01% complaining about SMS security is pretty silly. https://t.co/5ex3naa5a5— Alex Stamos (@alexstamos) December 1, 2016
Oxygen 9.0.3 allows to brute force a passcode for any Windows Phone 8 device from its physical dump!
Android system_server Code Loading Bypass
"Root" via dirtyc0w privilege escalation exploit (automation script) / Android (32 bit) Raw
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems (paper)
JTAGing Mobile Phones (from August)
The limitations of Android N Encryption
The fight against Ghost Push continues
BitUnmap: Attacking Android Ashmem
Saving Data: Reducing the size of App Updates by 65% (looks interesting)
More Than 1 Million Google Accounts Breached by Gooligan
Telstra is switching off their GSM network
Qualcomm has a Bug Bounty now
Nintendo has a Bug Bounty now
Secure Rom extraction on iPhone 6s
Android Security Bulletin - December 2016
HackingTeam back for your Androids, now extra insecure!
SunShine 3.4.18 has been released. Bring Support for Android 7.x.x and latest HTC 10 updates
A detailed security assessment on Android Full Disk Encryption (paper)
BitUnmap: Attacking Android Ashmem
Fuzzing Android OMX (slides)
Anonymous web-based SMS
Mobile Network Codes (MNC) for the international identification plan for public networks and subscriptions (According to Recommendation ITU-T E.212 (09/2016))
Call me maybe: Exploiting iOS WebViews to force automatic FaceTime calls
Android Banking Malware Masquerading as Email App Targets German Banks
Second Chinese Firm in a Week Found Hiding Backdoor in Firmware of Android Devices
Powerful backdoor/rootkit found preinstalled on 3 million Android phones
RAGENTEK ANDROID OTA UPDATE MECHANISM VULNERABLE TO MITM ATTACK
New Reliable Android Kernel Root Exploitation Techniques (slides)
Analysis of iOS.GuiInject Adware Library
Android Security Bulletin - November 2016
HelDroid: Dissect Android Apps Looking for Ransomware Functionalities
Rooting Every Android From Extension To Exploitation by Di Shen (slides)
Mobile Espionage in the Wild Pegasus and Nation-State Level Attacks (slides)
The Android Security Center
Technical Analysis of the Pegasus Exploits on iOS (paper)
Just a place to dump the cdma data I collected while at Defcon 2016
CRiOS: Toward Large-Scale iOS Application Analysis (paper)
Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover (slides)
Your smartphone is a civil rights issue (TED talk)
Receive SMS Online
Android wear MiTM
*droid: Assessment and Evaluation of Android Application Analysis Tools (paper)
Using Google Fi on an iPhone
iOS WebView auto dialer bug
I finally made it to Kiwicon this year (special thanks to vt for dragging us out!). I even managed to get a talk in (con bucket list--) making the trip even sweeter.
The conference was absolutely awesome. Well organized, friendly people (staff and attendees!), and a perfect venue. The conference had about 2500 attendees which seemed like a good fit for the venue. I liked the overall program, the intermissions and speaker introductions were absolutely fantastic. In my opinion Kiwicon is at the sweet spot on the issues of size and target audience. It is big enough to be attract different kinds of folks and it is small enough to find people and hangout. I also really love single track conferences!
Sadly it was announced that this was the last Kiwicon, I'm happy to have made it to the last one! Thanks!
Below a few photos and videos from Kiwicon, the official Kiwicon photos are here.
Ohai KiwiCon pic.twitter.com/lZT7ldKw18— Collin Mulliner (@collinrm) November 16, 2016
TL;DR: iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone's UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too). Demo videos here: Twitter and LinkedIn (embedded videos are below on this page).
About a week ago (on a Friday) I read an news post [1,2] about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI [4,5]. I immediately thought about a bug I reported to Apple in late October 2008 . I couldn't believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.
On Nov. 6th I updated the bug report to Twitter to add the UI blocking issue (continue reading) and uploaded a video. Today Twitter simply closes the bug as a duplicate without any comment. While this might be a simple duplicate they should have an interest in playing nice and being thankful to those who report bugs they find in their spare time. Because of this action I decided to post the full details of the issue today.
During the weekend I took some time to further investigate the issue. I determined that this might be a general issue with iOS apps the use WebViews to display content. I tested a few popular apps I had installed. Vulnerable apps need a way for users to post web links that will be opened in a WebView inside the app itself. Apps that open links in mobile Safari or Chrome would not be vulnerable (I tested this). One app I tested fairly early was the LinkedIn app since LinkedIn basically is social media for the business context. People can send messages and post updates. Updates usually are text and link. I posted a link and clicked it and yes it dialed my other phone (demo video below).
I wanted to submit the bug to LinkedIn and found that they have a bug bounty program. Unfortunately it was a private bounty and you would only be added if you previously submitted bugs. I tried to get around it but it didn't work. After some thinking I decided to not report it to LinkedIn privately but openly (parallel to this blog post). It is 2016 after all and if they don't want to add me to their program that is their choice. In general I will likely not report bugs outside of a bug bounty program if a private bug bounty program exists.
Another weekend comes I have some time and started playing with the bug again. Actually I started looking at my PoC from 2008 while trying to figure out if I report the bug to LinkedIn or not. After playing around for a bit I more or less get my old PoC working with the Twitter and LinkedIn apps. WOW!
Taking one step backwards. The original bug I reported to Twitter was triggering a phone call by visiting a website that redirect to a TEL URL. One could do this with various techniques such as: http-meta refresh, iframe, setting document.location, window.location, or an HTTP redirect (Location header). This would simply dial a number. The victim would see the dialer and the target number on the screen and of course could just cancel the call by pressing the big red button. Just causing the call is already bad since an unobservant person will be baffled (why is my phone dialing some number).
The beauty of my 2008 bug was that I could block the phone's UI for a few seconds and therefore prevent the user from canceling the call. I managed to abuse exactly the same trick to block the UI that I used in 2008. The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application. This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread. My best guess on how this works is that the IPC subsystem actually has difficulties to move several kilobytes of URL data through the various layers into the app and the target app might also not be super happy about really large URLs. I ended-up with the code below. The code uses the combination of meta-refresh tag and window.location to execute the attack. The codes delays setting the window.location by 1.3 seconds to guarantee that the dialer is executed first. The delay cannot be too long otherwise the WebView will not execute the URL handler for launching the messages app. Basically you have to get the timing just right.
The PoC to trigger this bug.
Below two video demonstrations of this attack. You can clearly see that the UI is not responsive for a short amount of time. The time is long enough to make somebody pickup on the other side (especially service hot lines automatically pickup).
Normal good app behavior:
Apps should normally check the URL schema before executing it and show the user a pop-up dialog before executing an app on the device. Some examples are shown below:
Mobile Safari asking before calling the Apple Support number. This is how good apps should behave!
Dropbox showing a warning but not showing the target number. Ok but could be better.
The Yelp app normally behaves like Safari but if you hit it with an HTTP redirect it does not show the target number. I just included this for the fun of it.
App developers should review their use of WebViews to determine if they are vulnerable to this attack. Vulnerable apps need to be fixed. Service providers like Twitter and LinkedIn can inspect links posted to their sites for containing malicious code and prevent those links from being posted to their service.
Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future. I reported this issue to Apple.
 Bug Bounty Hunter Launches Accidental DDoS Attack on 911 Systems via iOS Bug (softpedia)
 iPhone hack that threatened emergency 911 system lands teen in jail (ars technica)
 Here my post to full-disclosure in Nov. 2008 after Apple fixed the bug in iOS 3.0 : iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)
 Original TEL URI schema RFC2806 URLs for Telephone Calls
 Updated TEL URI schema RFC3966 The tel URI for Telephone Numbers