mailto: blog -at- heyrick -dot- eu

Navi: Previous entry Display calendar Next entry
Switch to desktop version

FYI! Last read at 19:06 on 2024/11/21.

Major Android fail - directly actioning 'tel:' URIs

If you have an Android phone, you NEED to read this.

First - here's a typical gutter press take on tech subjects:

Gutter press screamy headline
The actual Daily Mail article is slightly saner than the screamy headline (perhaps that was devised by an iFanboi?).

This issue...

It's a vulnerability which is, on the face of it, fairly innocuous, but thanks to some super cluelessness and ass-backward lack of forethought, can be used to cause serious damage to your phone.
Well, not actual physical harm (as far as I'm aware), but you might feel that resetting your phone to factory default and chucking away all of your personal data held on the phone (irretrievably) might qualify as a sort of damage.

The flaw was first reported with the Samsung Galaxy S III, but I can also confirm that the flaw exists with my phone, the SonyEricsson Xperia Mini Pro.

Before I go into details, here's a simple test.

*#06# (your IMEI)
(don't trust me? view the page source!)

Click the link above, and you should not see your phone's IMEI number appear on the screen. If it does appear, your phone is vulnerable.

 

What is going on

If you look at the URL of this web page, you will see it starts with http: which means, basically, it's a webpage. There are all manner of other protocols, some that can be supported by your browser (such as ftp:) and some which require other programs to work (such as telnet:). Then there's the final category for links that the browser isn't able to handle directly but knows something that can, the usual candidate here is the mailto: link for emails.

In the era of mobile telecommunications, it became a good idea to add a tel: link so websites could hyperlink telephone numbers for ease of contacting. You know, it's a bit silly if you have an internet link running at megabits/sec in your pocket, but you need to scrabble around looking for a piece of paper just to write down a number to then tap into the phone. Why not... you know...
And so the tel: link had a ready-made purpose.

 

Why this is a problem

This is a problem because, frankly, Android's stock dialler is stupid. Given a telephone number, it will commence dialling it.
Maybe it is working on the theory of "all users are morons"? Maybe it is working on the theory of "all users are lazy morons"? I don't know. But it would have made a lot more sense if the dialler appeared, and then waited for you to tap on the connect button.

Really, if you get a link to *#06#, you should see this:

The dialler should always prompt

You should only see this after permitting the connection:

You shouldn't see this pop up!

Because this dial-automatically behaviour carries with it some... shall we say... implications.

Consider if the link above had claimed to be your IMEI but was in fact a premium rate number that'll hit you for €1,50 per connect?

Or how about this:

Calling 999
[this is the British equivalent to 112 (Europe) or 911 (US), and calling in a non-emergency situation is something that'll land you in trouble]

 

But it gets worse

There are a number of secret codes hidden within Android. One of the more popular is this:
*#*#4636#*#*
That spells "INFO" on the phone-pad, so leads to a menu giving extra information/statistics on the phone.
Do NOT alter anything in the "Phone information menu", you could seriously muck up your phone's ability to connect to mobile networks.

If you are using a SonyEricsson Xperia Mini Pro (might work for other models?), then you can also try:

*#*#7378423#*#*
That one spells "SERVICE" on the phone-pad and leads to a menu of hidden weirdness, the "Service tests" has lots of fun stuff. I've had my phone in voice calls for 21h, 53m, 50s. Since January. I'm not a teenage girl. ☺ Additionally, I've flipped my phone open (to expose the keyboard) 3,641 times. My battery is good, and the compass is as startlingly inaccurate as normal.
Again, if you see options to alter stuff, best leave 'em be.

But then there are other codes. Codes to do nice stuff like reset the phone to factory defaults. I couldn't find any details on this for the Xperia Mini Pro (as this function is actually somewhere in the normal menus), but other phones do contain such secret codes. Well, not so secret, Google will turn up several. And astonishingly it appears that the phone does not bother asking for confirmation!!! Fail! FAIL!! FAIL!!!
[I'm not normally as abusive as this with exclamation marks, but to go for a reset of that nature without spelling out the consequences and asking at least once if not twice is totally bloody stupid]

 

Oh come on, you gotta click a link, right?

Yeah. Sure. Whatever you say.

<cough>

<iframe src="tel:nasty-number-here" />

That, stuck into a webpage, will cause the action to happen just by viewing the webpage. It isn't Javascript, so disabling scripts and plugins and such won't stop it.

 

Is this serious?

Now it's a highly publicised thing, yes, I think we can consider it to be serious. God knows the less legit people of the world are looking to make a buck or two off you, what better way than to get your phone to auto-dial something that'll make them money?
Imagine burying this in forums that don't correctly sanitise user-added markup. How many people might get suckered before it gets removed?

 

When your phone will get an update?

Probably never, sadly, for many of us.

I know people are falling over themselves to rush fixes out the door, but the sad fact of Android is that the update cycle is roughly:

So, some phones will receive an update. I suspect the majority won't unless Google themselves pull strings.
To give a current example, ICS (Android 4) is being rolled out to my phone (as well as the rest of the Xperia range from 2011). Many of them have the ability to switch to ICS, but mine (SI 1251-8056) is currently absent from the list. I wonder if Orange will get around to it before next January (phone renewal, so I might put ICS on the Xperia to play with it, once I have a new phone).

It is a sad fact of the Android infrastructure that all this needs to happen just to be able to roll out an update. Given we are using a version of Linux, maybe one day phones will have NAND flash inside them so that firmware files ('in ROM') can be updated with small patch files pushed out quickly. Certainly, one thing to consider is how the built-in browser is not available in the MarketPlay and it does not seem to be updateable in any way other than a new firmware release. Given you are using an actual micro-sized computer system (yes, I said Linux) this whole state of affairs seems nuts, don't you think?

 

So what can be done?

Scream. Shout. Wail. Smash crockery. Write angry letters to the local paper. Punch the stuffing out of your pillow. Taunt your goldfish with a packet of Findus' finest.
None of this will do anything to solve the problem, but it might make you feel better.

When you are feeling saner...

The flaw here is the Dialler. The fix, install another dialler.

My personal recommendation is myDialer lite by Michał Motyczko. I chose this one because it had permissions that made sense.
Don't panic that it can directly call numbers - it is a dialler, it is supposed to. Also, read/write contacts. This makes sense too.
What this app does not ask for is geolocation (GPS or WiFi or cell), internet access, and so on.
This app can read your contacts, but it isn't about to upload 'em all to a server in Thailand.

Best of all, you don't even need to use this app!

When your phone encounters a tel: link, it will recognise that there are two diallers, so it will helpfully ask you which you would like to use...

Two diallers? Oooh, choices!
This is your clue that possibly something odd is happening. If you intended for a number to be dialled, then tap on the normal dialler (here, it is called "Phone").
Do not select "Use by default for this action" as that will defeat what we are trying to do here!

If, on the other hand, you were not expecting anything to be dialled, then you have two choices.

Inspecting the number using myDialer lite

 

Lessons will be learned...

Yeah, yeah... how many times how we heard that?

Well, I hope at least these lessons might be contemplated for a future release/fix of Android:

 

Your comments:

iPhan, 29th September 2012, 17:09
If you think Android is so bad, just get yourself an iPhone. You won't regret it.
Rick, 1st October 2012, 20:04
Oh, I dunno. Paying a premium for "average" hardware doesn't seem to be my idea of worthwhile. Not to mention Apple has its fair share of Fail if you look (gee, let's disregard basic antenna theory and stick the thing on the outside as a feature 'cos it looks really cool!!!; not to mention the current state of the map application). I like the ability to source my apps from where I like (there is one, Mango, that Google has twice rather arbitrarily kicked off its Market/Play so the developer is keeping it going on his own; and I can download and install this without jumping through hoops). Apple has been found to be recording user location information, so in this respect it is probably no better or worse than Android. CarrierIQ has been seen to have been placed into handsets in a rather system-agnostic fashion, including both Android and iOS (among others). 
I am also enjoying "syncing" my phone with my computer just by plugging it in and having a drive letter assigned it it (it'll do MTP as well if I need), plus easily removable media cards (dismount from the phone's setup, pop open the back, slide it out), plus the ability to charge it from a completely standardised connector (microUSB). There's one in the car and one in the corner of my room. The one that came with the phone itself is around someplace, too. 
 
So in short, I think a move to Apple would provide my with a more polished and nicer looking user interface experience. As for the rest? Not so sure about that. 
 
Android is not perfect, there's a heap of stuff I'd like to see changed. However I like the freedom and flexibility of the system. That my core "favourite apps" just work on either of my phones (and will on my next one). That there is a freedom to do stuff outside of the Googlesphere. Perhaps freedom is something you don't miss until you no longer have any, and if you never had it in the first place you don't know what it is. 
28 years ago, Apple asked me to Think Different. 
I am. 
(^_^)

Add a comment (v0.11) [help?]
Your name:

 
Your email (optional):

 
Validation:
Please type 87548 backwards.

 
Your comment:

 

Navi: Previous entry Display calendar Next entry
Switch to desktop version

Search:

See the rest of HeyRick :-)