mailto: blog -at- heyrick -dot- eu

Major Android fail - directly actioning 'tel:' URIs

If you have an Android phone, you NEED to read this.

First - here's a typical gutter press take on tech subjects:

Gutter press screamy headline
The actual Daily Mail article is slightly saner than the screamy headline (perhaps that was devised by an iFanboi?).

This issue...

It's a vulnerability which is, on the face of it, fairly innocuous, but thanks to some super cluelessness and ass-backward lack of forethought, can be used to cause serious damage to your phone.
Well, not actual physical harm (as far as I'm aware), but you might feel that resetting your phone to factory default and chucking away all of your personal data held on the phone (irretrievably) might qualify as a sort of damage.

The flaw was first reported with the Samsung Galaxy S III, but I can also confirm that the flaw exists with my phone, the SonyEricsson Xperia Mini Pro.

Before I go into details, here's a simple test.

*#06# (your IMEI)
(don't trust me? view the page source!)

Click the link above, and you should not see your phone's IMEI number appear on the screen. If it does appear, your phone is vulnerable.


What is going on

If you look at the URL of this web page, you will see it starts with http: which means, basically, it's a webpage. There are all manner of other protocols, some that can be supported by your browser (such as ftp:) and some which require other programs to work (such as telnet:). Then there's the final category for links that the browser isn't able to handle directly but knows something that can, the usual candidate here is the mailto: link for emails.

In the era of mobile telecommunications, it became a good idea to add a tel: link so websites could hyperlink telephone numbers for ease of contacting. You know, it's a bit silly if you have an internet link running at megabits/sec in your pocket, but you need to scrabble around looking for a piece of paper just to write down a number to then tap into the phone. Why not... you know...
And so the tel: link had a ready-made purpose.


Why this is a problem

This is a problem because, frankly, Android's stock dialler is stupid. Given a telephone number, it will commence dialling it.
Maybe it is working on the theory of "all users are morons"? Maybe it is working on the theory of "all users are lazy morons"? I don't know. But it would have made a lot more sense if the dialler appeared, and then waited for you to tap on the connect button.

Really, if you get a link to *#06#, you should see this:

The dialler should always prompt

You should only see this after permitting the connection:

You shouldn't see this pop up!

Because this dial-automatically behaviour carries with it some... shall we say... implications.

Consider if the link above had claimed to be your IMEI but was in fact a premium rate number that'll hit you for €1,50 per connect?

Or how about this:

Calling 999
[this is the British equivalent to 112 (Europe) or 911 (US), and calling in a non-emergency situation is something that'll land you in trouble]


But it gets worse

There are a number of secret codes hidden within Android. One of the more popular is this: That spells "INFO" on the phone-pad, so leads to a menu giving extra information/statistics on the phone.
Do NOT alter anything in the "Phone information menu", you could seriously muck up your phone's ability to connect to mobile networks.

If you are using a SonyEricsson Xperia Mini Pro (might work for other models?), then you can also try:

That one spells "SERVICE" on the phone-pad and leads to a menu of hidden weirdness, the "Service tests" has lots of fun stuff. I've had my phone in voice calls for 21h, 53m, 50s. Since January. I'm not a teenage girl. ☺ Additionally, I've flipped my phone open (to expose the keyboard) 3,641 times. My battery is good, and the compass is as startlingly inaccurate as normal.
Again, if you see options to alter stuff, best leave 'em be.

But then there are other codes. Codes to do nice stuff like reset the phone to factory defaults. I couldn't find any details on this for the Xperia Mini Pro (as this function is actually somewhere in the normal menus), but other phones do contain such secret codes. Well, not so secret, Google will turn up several. And astonishingly it appears that the phone does not bother asking for confirmation!!! Fail! FAIL!! FAIL!!!
[I'm not normally as abusive as this with exclamation marks, but to go for a reset of that nature without spelling out the consequences and asking at least once if not twice is totally bloody stupid]


Oh come on, you gotta click a link, right?

Yeah. Sure. Whatever you say.


<iframe src="tel:nasty-number-here" />

That, stuck into a webpage, will cause the action to happen just by viewing the webpage. It isn't Javascript, so disabling scripts and plugins and such won't stop it.


Is this serious?

Now it's a highly publicised thing, yes, I think we can consider it to be serious. God knows the less legit people of the world are looking to make a buck or two off you, what better way than to get your phone to auto-dial something that'll make them money?
Imagine burying this in forums that don't correctly sanitise user-added markup. How many people might get suckered before it gets removed?


When your phone will get an update?

Probably never, sadly, for many of us.

I know people are falling over themselves to rush fixes out the door, but the sad fact of Android is that the update cycle is roughly:

  • Google makes a cool new Android.
  • The phone manufacturer dicks around with it.
  • The carrier (telco) dicks around even more.
  • It arrives in the shops, probably months out of date and full of bloatware you can't remove.
  • If you are lucky, the manufacturer will care enough to give you an update or two before it is obsoleted.
  • Assuming, of course, the carrier plays along.
  • Everybody already got your money. You don't count for much any more.
So, some phones will receive an update. I suspect the majority won't unless Google themselves pull strings.
To give a current example, ICS (Android 4) is being rolled out to my phone (as well as the rest of the Xperia range from 2011). Many of them have the ability to switch to ICS, but mine (SI 1251-8056) is currently absent from the list. I wonder if Orange will get around to it before next January (phone renewal, so I might put ICS on the Xperia to play with it, once I have a new phone).

It is a sad fact of the Android infrastructure that all this needs to happen just to be able to roll out an update. Given we are using a version of Linux, maybe one day phones will have NAND flash inside them so that firmware files ('in ROM') can be updated with small patch files pushed out quickly. Certainly, one thing to consider is how the built-in browser is not available in the MarketPlay and it does not seem to be updateable in any way other than a new firmware release. Given you are using an actual micro-sized computer system (yes, I said Linux) this whole state of affairs seems nuts, don't you think?


So what can be done?

Scream. Shout. Wail. Smash crockery. Write angry letters to the local paper. Punch the stuffing out of your pillow. Taunt your goldfish with a packet of Findus' finest.
None of this will do anything to solve the problem, but it might make you feel better.

When you are feeling saner...

The flaw here is the Dialler. The fix, install another dialler.

My personal recommendation is myDialer lite by Michał Motyczko. I chose this one because it had permissions that made sense.
Don't panic that it can directly call numbers - it is a dialler, it is supposed to. Also, read/write contacts. This makes sense too.
What this app does not ask for is geolocation (GPS or WiFi or cell), internet access, and so on.
This app can read your contacts, but it isn't about to upload 'em all to a server in Thailand.

Best of all, you don't even need to use this app!

When your phone encounters a tel: link, it will recognise that there are two diallers, so it will helpfully ask you which you would like to use...

Two diallers? Oooh, choices!
This is your clue that possibly something odd is happening. If you intended for a number to be dialled, then tap on the normal dialler (here, it is called "Phone").
Do not select "Use by default for this action" as that will defeat what we are trying to do here!

If, on the other hand, you were not expecting anything to be dialled, then you have two choices.

  • The Quick Choice - tap on the 'Back' button to cancel the attempted dial.
  • The Sherlock Choice - choose "myDialer lite" because it will show you the number in a green bar (you must tap on the green bar to dial) so you can look and see what number your phone was being instructed to dial.
Inspecting the number using myDialer lite


Lessons will be learned...

Yeah, yeah... how many times how we heard that?

Well, I hope at least these lessons might be contemplated for a future release/fix of Android:

  • The dialler should never just blindly auto-dial from a provided URI.
  • No phone, no firmware, no super-secret option should ever perform an action as destructive as a factory reset without a confirmation.
    If it was up to me, I would ask for confirmation. Then I would spell out what was going to happen, then I would ask again with the wording altered so blindly tapping the same button did not perform the factory reset [in other words, something like "Are you sure you wish to factory reset your phone" (user taps Yes) then "blah blah blah ... do you wish to cancel factory reset of your phone?" (user must tap No)]
  • Ideally, the dialler ought to sanitise input so these secret codes are only valid when tapped in at the keyboard; perhaps by filtering out anything that isn't a '+' and a digit. This means, of course, network codes such as "#123#" would be rejected, but given the number of times you're likely to see links to that, I wouldn't imagine it would be a hardship.
  • Google might be a big pile of data-suckers, but really this open doors approach is not on. There are serious trust issues here and Google might well want to consider starting to take 'trust' seriously. For starters, one thing we should not blindly trust is the massive piece of miscreant cack that calls itself The Internet. It all went downhill when the SEO arrived, and it's now islands of nice floating in a cesspool so rancid it probably harbours undiscovered lifeforms. Seriously, there's some nasty stuff out there and the less chance it has at getting its tentacles into you or your equipment, the better.
  • Never ever EVER take world-provided tel: links and "just dial them". God, how can I spell this out any clearer than that?


Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

iPhan, 29th September 2012, 17:09
If you think Android is so bad, just get yourself an iPhone. You won't regret it.
Rick, 1st October 2012, 20:04
Oh, I dunno. Paying a premium for "average" hardware doesn't seem to be my idea of worthwhile. Not to mention Apple has its fair share of Fail if you look (gee, let's disregard basic antenna theory and stick the thing on the outside as a feature 'cos it looks really cool!!!; not to mention the current state of the map application). I like the ability to source my apps from where I like (there is one, Mango, that Google has twice rather arbitrarily kicked off its Market/Play so the developer is keeping it going on his own; and I can download and install this without jumping through hoops). Apple has been found to be recording user location information, so in this respect it is probably no better or worse than Android. CarrierIQ has been seen to have been placed into handsets in a rather system-agnostic fashion, including both Android and iOS (among others). 
I am also enjoying "syncing" my phone with my computer just by plugging it in and having a drive letter assigned it it (it'll do MTP as well if I need), plus easily removable media cards (dismount from the phone's setup, pop open the back, slide it out), plus the ability to charge it from a completely standardised connector (microUSB). There's one in the car and one in the corner of my room. The one that came with the phone itself is around someplace, too. 
So in short, I think a move to Apple would provide my with a more polished and nicer looking user interface experience. As for the rest? Not so sure about that. 
Android is not perfect, there's a heap of stuff I'd like to see changed. However I like the freedom and flexibility of the system. That my core "favourite apps" just work on either of my phones (and will on my next one). That there is a freedom to do stuff outside of the Googlesphere. Perhaps freedom is something you don't miss until you no longer have any, and if you never had it in the first place you don't know what it is. 
28 years ago, Apple asked me to Think Different. 
I am. 

Add a comment (v0.11) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 93687 backwards.
Your comment
French flagSpanish flagJapanese flag
«   September 2012   »

(Felicity? Marte? Find out!)

Last 5 entries

List all b.log entries

Return to the site index



Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.


Last read at 15:24 on 2024/06/19.

QR code

Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0


© 2012 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.


Have you noticed the watermarks on pictures?
Next entry - 2012/10/01
Return to top of page