Last week we found out about a new SMS security hole in the iPhone that could potentially leave users vulnerable to phishing attempts. To put it simply, this hole allows undesirable people to change the reply-to address on the texts they send you, making them appear to be legitimate and possibly convincing you to hand over some personal details. AdaptiveMobile has published a new report on the security hole, and while it may be scary for iPhone users, it appears that this flaw doesn’t affect devices running a different OS.
AdaptiveMobile’s Cathal McDaid attempted the exploit on Android, Symbian, Windows Mobile and BlackBerry devices and found that it worked on none of those. The reason for this is because most handsets step around the flaw by not showing the Reply-Address at all. McDaid warns that any devices which show the Reply-Address are less secure than those which don’t, so this problem isn’t necessarily exclusive to iPhone – it’s just that the majority of the devices tested don’t show the address in the first place.
After the vulnerability came to light, Apple made a statement to Engadget, instructing texters to use iMessage instead of SMS, as iMessage is more secure. “Apple takes security very seriously,” the statement reads. “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”
Obviously, iMessage is an exclusive feature of iOS, so when communicating with other devices that aren’t an iPhone, SMS has to be used. It’s still a bit unsettling, but really, staying secure does fall on the shoulders of the users in this case. It kind of goes without saying that it isn’t a good idea to share personal information on your phone, and if you get a suspicious looking message, it’s probably a good idea to follow up before sending off information that could come back to haunt you (for instance, call your bank and check with it if you get a message claiming to be from it). It may not be the most desirable solution to these problems, but it’s a lot better than having personal information out in the open thanks to one bogus text.