day121 / sipdroid

Automatically exported from code.google.com/p/sipdroid
GNU General Public License v3.0
0 stars 0 forks source link

Potential Security issue #1183

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Activities PSTN and SIP (org/sipdroid/sipua/ui) allow anyone to perform a 
regular phone call. Even an application not owning the permission 
android.permission.CALL_PHONE can call ANY number passed in the intent.
(a malicious app could exploit this to start calls to expensive numbers)

Also in the manifest their filters are declared as
<intent-filter>
    <action android:name="android.intent.action.SENDTO"/>
    <category android:name="android.intent.category.DEFAULT"/>
    <data android:scheme="sms"/>
    <data android:scheme="smsto"/>
</intent-filter>
while in the activities the sms/smsto scheme are replaced by 'tel:'.

Is this intended?

Original issue reported on code.google.com by davideg...@gmail.com on 30 Nov 2014 at 7:27