Earlier this month, news surfaced that iPhones were more susceptible to spoofed SMS messages and phishing attempts via text, and now it seems the vulnerability is more or less exclusive to iOS.
That's according to research from mobile security firm AdaptiveMobile, which says it may be harder to spot spoofed texts and phishing attacks on the iPhone than on other mobile OSes. At issue is the fact that iOS displays the "reply to" number for received texts, which can be modified to make it appear as if a text message originated from a different number than it was actually sent from.
"We have tested this issue on Android, Windows Mobile, BlackBerry, and Symbian phones and most of them simply ignore the 'reply address' field or display both the 'real' originating address and the reply address as per the specification recommendations," Cathal McDaid, security consultant at AdaptiveMobile, said in a statement sent to CNET. "The iPhone, so far, is the only device which does not comply with these security recommendations."
McDaid says the "reply to" field was introduced to provide a way to respond to broadcast texts from marketing firms or other agencies that may not be capable of receiving messages, but most handsets now ignore the field.
"Apple has left a significant vulnerability in its handsets which could allow consumers to be fooled and hand over personal details to hackers and criminals," says McDaid.
Apple has not responded to our repeated requests for comment on the SMS issue, but did offer a response that seemed to pass the buck on to SMS technology itself. Apple also noted that if everyone used iMessage, which authenticates messages sent from iOS to iOS, there would be no problem.
Yes, total world domination by a single platform is one way to take care of such issues, I suppose.
Apple does have a point, however, that SMS is not a fully secure means of communication by any stretch of the imagination, and it's probably better to restrict the amount of sensitive information you send via text, even if it's requested by what appears to be a legitimate party. That thing you receive texts on also makes calls, you know. Why not dial up your local banker to make sure they really need you to re-confirm your personal information via SMS?