Apple responds to iPhone SMS security vulnerability
Yesterday I reported on revelations that iPhones may be particularly vulnerable to an SMS spoofing attack. Basically, because of the way iOS handles text headers, a nasty person could manipulate the "reply-to" number to appear to be someone they're not, like a financial institution.
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown Web site or address over SMS.
I've never written a messaging app that works with SMS before, but it would seem to me that completely passing the buck on to the technology as Apple seems to be doing here, is a cop-out. As hacker pod2g explained in his post on the vulnerability, the text header contains both the actual originating number of a text, and the reply-to text. Making both fields a little more visible would certainly be a start, although it's true that SMS is far from being iron-clad in terms of security.
With that in mind, continue to be vigilant about text messages and careful about how you use them. There are a number of different ways to do your banking these days -- SMS shouldn't be one of them.
I've contacted Apple for comment and will update this post if and when I hear back.