Apple admits SMS vulnerability, pushes iMessage

iMessage is still secure even if SMS isn't

In response to recent news revealing an iOS texting security flaw, Apple released a statement claiming to know about the flaw and urging alternative messaging methods.

The statement reads, "Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."

"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."

The response isn't the affirmation consumers want, but it is an honest account of a potentially dangerous security loophole that Apple is now calling a "limitation".

Texts matter

It might not be readily apparent why replacing a "reply-to" field in an SMS message could be so potentially harmful to the consumer. Unless you do banking by text, shopping by text, or interact with business entities by text, a spoofed text will look like spam no matter who it's from.

For the millions of mobile users who do have alerts sent to their phones via text, this presents a real quandary.

Yes, iMessage verifies sender and receiver accounts before submitting the message which makes it a more secure system than iOS SMS. However, banks, airlines, and other business haven't started offering iMessage update options yet, so the practical issue that the security flaw exposes remains unsolved.

Perhaps what's most troubling about Apple's statement is the absence of a proposed plan to fix the SMS "limitation".

The iOS 6 beta has also been confirmed as vulnerable to this issue. Here's to hoping that the full release fares better.

Via Engadget