iPhone News

iOS URL spoofing a real danger, says researcher

Security researcher Nitesh Dhanjani has demonstrated a method by which malicious apps could potentially fool web surfers into thinking they are on a trusted site (like a bank website) when they are not, and the trick is tied to Apple’s own API for displaying web sites within apps. The technique, called UI spoofing, hides the “genuine” URL (once loaded) and puts a “fake” URL bar on the site instead, tricking unobservant users into believing they are on a different site, or simply hiding the URL bar entirely (once loaded), preventing users from discerning what site they are actually on.

The technique uses Apple’s own UIWebView class, which allows developers to display web sites without exiting the application or invoking Safari. The API requires that the “real” URL bar be present while the site is loading, but can be hidden or spoofed once the page is loaded. On fast connections, the “real” URL may disappear too quickly for users to notice.

As an example, Dhanjani launched the Twitter app for iPad, found a “shortened” URL in a random tweet, and clicked on it. The URL bar appears with the shortened URL, but the page loads so quickly that the “resolved” URL is only seen momentarily before the page is loaded and the site in question displayed with the URL bar hidden.

This technique could prove a boon for phishers and other trickware propagators on the web. Dhanjani says the problem was created by the need to maximize screen real estate on small devices like the iPhone and the desire of developers to keep the user “immersed” in their own application rather than launching a separate app as would happen on a desktop computer when an http or https URL is clicked on.

Dhanjani has communicated with Apple over the issue and says they are aware of it but have not offered any information on when or how the problem will be fixed. He has also reported a previous discovery, insecure handling of URL schemes in iOS, to Apple.

A video showing the UI spoofing technique in action has been posted to Dhanjani’s blog as part of the post detailing it. He has also set up a spoof URL, mimicking a Bank of America login site, as a demonstration. In the images below, the left image shows the fake page with the URL bar hidden; the right image shows what the user would see if they think to scroll up (or while the page is loading).

Posted Image