Do iPhone apps have permission to make calls without user interaction?

I was reading about a missed call scam just now where the user gets charged even if they don't call the number back. It occurred to me that a malicious iPhone app could make calls to premium numbers to scam users out of money - indeed, it appears this has happened in the past.

According to Apple's own documentation:

When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.

It seems to me that an apparently benign iPhone app could, say, wait until the phone was left on charge (and hence likely not being attended by the user) and then initiate a call to a premium rate number to net the developer a tidy bonus. There doesn't appear to be any permission in iOS I can change to prevent this behaviour, since this is opening the phone app with a URL rather than accessing any phone data.

Can anyone confirm if my understanding is correct and, if so, why on earth Apple haven't closed such a gaping hole?


Solution 1:

I've experimentally checked the iOS behavior by trying to initiate a phone call from one of my apps.

Here are the results:

  • It is possible to programatically start a phone call without user confirmation. I've just written a single line of code that is executed right after the App has been loaded. Meaning that if your App is in the foreground it can start a call at anytime, even without needing user to tap anywhere.
  • I've sent a silent remote push notification to the App in order to wake it app if it is not running, and then execute the same code. No call was started; iOS does not allow an app to initiate a phone call if the app is running in the background.

So answering your questions, the only way to start a phone call without the user noticing it, is by somehow convincing the user to leave the malicious application running in the foreground, and then start the phone call, as iOS won't allow this operation if the app is backgrounded.

Currently iOS does not provide any mechanism to block starting phone calls from a particular app, but it can only happen if the app is in the foreground.

Solution 2:

I've made a test app to check this. App can open URL such as tel://123456789 only when it is in foreground and active. When I call this code even just after entering the background state, the API to open this URL did nothing. So to answer your question - apps won't be able to make a call without your knowledge.

To test this paste this in your AppDelegate:

- (void)applicationDidEnterBackground:(UIApplication *)application {
   [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"tel://123456789"]];
}

Solution 3:

When trying to initiate a call on iOS >= 10.3, a popup will always be displayed to the user. Docs