Apple - Do iPhone apps have permission to make calls without user interaction?

I've experimentally checked the iOS behavior by trying to initiate a phone call from one of my apps.

Here are the results:

• It is possible to programatically start a phone call without user confirmation. I've just written a single line of code that is executed right after the App has been loaded. Meaning that if your App is in the foreground it can start a call at anytime, even without needing user to tap anywhere.
• I've sent a silent remote push notification to the App in order to wake it app if it is not running, and then execute the same code. No call was started; iOS does not allow an app to initiate a phone call if the app is running in the background.

So answering your questions, the only way to start a phone call without the user noticing it, is by somehow convincing the user to leave the malicious application running in the foreground, and then start the phone call, as iOS won't allow this operation if the app is backgrounded.

Currently iOS does not provide any mechanism to block starting phone calls from a particular app, but it can only happen if the app is in the foreground.

I've made a test app to check this. App can open URL such as tel://123456789 only when it is in foreground and active. When I call this code even just after entering the background state, the API to open this URL did nothing. So to answer your question - apps won't be able to make a call without your knowledge.

To test this paste this in your AppDelegate:

- (void)applicationDidEnterBackground:(UIApplication *)application {
   [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"tel://123456789"]];
}

When trying to initiate a call on iOS >= 10.3, a popup will always be displayed to the user. Docs