Apple urges users to stick with iMessage to avoid iPhone SMS spoofingApple on Saturday officially responded to reports that its latest mobile operating system remains vulnerable to text message spoofing, recommending that customers use its more secure iMessage service instead.
A hacker on Thursday drew headlines when he urged Apple to plug a hole in iOS that could allow malicious individuals to send text messages that appear as if they're coming from someone else.
Like other mobile operating systems, iOS SMS messages support transmission of optional, advanced features in the header section of text messages, including a "reply to" address. Since most wireless carriers don't perform verification checks on these header specifications, incoming SMS messages to iPhones could be manipulated to appear as if they're coming from the "reply to" address and not the actual sender.
In a statement obtained by Engadget, Apple reminds customers that its iMessage service was designed to safeguard against the vulnerabilities of the yesteryear Short Message Service (SMS):
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.
"Spoofed" SMS messages can include anything from a spam to phishing attempts at personal information. The weakness flaunted by the SMS specification is similar to vulnerabilities in the standard email specification, which similarly does not authentic the names and addresses in header data.
Introduced by Apple in June of 2011 as an alternative to SMS messaging, iMessage allows users to send texts, photos, videos, contact information, and group messages over Wi-Fi or 3G to other iOS 5 users. It's accessible through the Messages app on an iPhone, iPad, or an iPod touch running iOS 5 or later or on a Mac running OS X Mountain Lion or later.