Saturday, 18 August 2012 11:41

Old SMS Bug Found That Still Exists In Apple Products Including iOS 6

Written by

Reading time is around minutes.
iPhone-4

It seems there is a flaw in the way that Apple implements the SMS protocol on their phones. As most know there is no such thing as secure communication when you are transmitting data back and forth over the internet. There are methods that are more secure than others, but nothing is “secure”. This holds true for the PDU protocol (Protocol Description Unit which covers SMS) which has multiple pieces, standards and even methods for transfer. Because of the complex nature of this standard it is in the hand of the phone developer and the carrier to make sure the implementation is done correctly.

Now one of the big areas of concern is with the originating number and the “reply-to” number. This is very similar to what happens in email. While an email address might be "This email address is being protected from spambots. You need JavaScript enabled to view it.", you can set the reply-to address as something else. In many email clients the actual address can be shown to ensure that you are at least replying to the right domain and not to someone else. This ability to spoof the reply-to address has been used to fool many people into clicking on links in emails they thought were valid.

The same can be said for SMS clients. If they only show the reply-to address then you are at a disadvantage when you are sending SMS messages. For most Android phones the messaging client will show the reply-to and the originating number just as with most Windows Phones. Again this is like showing the reply to and the original email address. It is a good thing and helps to prevent you from replying to the wrong number. Now as we mentioned this covers most, but not all Android phones with the Android OS. However, with Android you can grab a number of SMS apps that will give you this as part of their security features (we like to use handcent SMS, but there are many more out there). The same is true of the iPhone. There are a handful of good apps that will allow you to get these extras, but in many cases you have to setup a new phone number for your device through the app. This limits their usages with many users as who wants to deal with a different phone number for texts?

Screenshot 2012-08-18-11-19-29
This means that for a large portion of the iPhone owning population this flaw still exists in the same form is did when the iPhone was launched 5 years ago. It seems an odd flaw to leave open considering that SMS and MMS text messages are one of the primary means of communication for many people. The numbers will prove that with any carrier. How many of you will make a single phone call in a day but a large number of texts? I know that I do just about every day. Apple should have addressed this flaw a long time ago in the same way that carriers need to take responsibility for verifying the UDH (User Data Header) on SMS traffic traveling over their network. If they did this it would cut down on a fairly large security threat. It would be pretty easy to do this without the need to read the message in the same way that setting up a reverse DNS (resolving the originating IP of a mail server to the claimed domain name) helps to prevent spam.

According to Pod2G, the researcher that found this flaw five years ago it is of great concern and Apple should fix this before the release of iOS 6. His reasons?

Why is it an issue ?
pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
one could send a spoofed message to your device and use it as a false evidence.
anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.
 Now you are alerted. Never trust any SMS you received on your iPhone at first sight.”


On top of all of this with the increase in malware for mobile devices it is simply the smart thing to do in order to protect your customers. We would expect Apple, Microsoft and Google to all ensure that the SMS text messages sent and received are valid and that they can quickly show the user the ones that are not. Doing this is simply showing responsibility and concern for your customers.

Discuss this in our Forum

Read 3218 times Last modified on Saturday, 18 August 2012 12:12

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.