Apple Suggests iMessage As SMS Bug Work-Around
Rather than fixing a security problem discovered last week, Apple tells users concerned with SMS spoofing to use its iMessage product instead of text messages.
"Apple takes security very seriously," said Apple in a statement sent to Engadget over the weekend. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."
In other words, Apple suggests that users concerned with the security of their smartphone should trust iMessage instead of SMS. If only it were that easy.
iMessage is only available to Apple's iPhone, iPad, and Mac computers. It uses the Internet to send short messages between devices rather than the traditional pipes used to deliver text--or SMS--messages. It works really well for iOS and Apple device users, and is helpful because it syncs conversations across devices. I can start an iMessage conversation on my iPhone and continue it later from my desktop.
As Apple said above, iMessage users are verified against email addresses, Apple accounts, and also phone numbers that can be attributed to real people.
[ Apple doesn't talk about security very often. Read Apple Security Talk Suggests iOS Limits. ]
In the real world, though, most people buying new smartphones aren't choosing the iPhone and iMessage--they're picking Android smartphones. Further, there are still plenty of other smartphone options out there: Windows Phone, BlackBerry, Symbian, and so on. Hundreds of millions of people out there are sending text messages the old fashioned way because they don't have access to iMessage.
It's also worth pointing out that bad guys don't play by the rules. People who are serious about ripping off others probably won't be using accounts that can be tied to their real identity.
So what's an iPhone user to do in this case? As Apple (and the researcher pod2G who discovered the bug) says, don't click on links in SMS messages if you don't know with certainty who the sender is. Additionally, don't send personal information in response to SMS messages from financial or other institutions.
Android and Apple devices make backup a challenge for IT. Look to smart policy, cloud services, and MDM for answers. Also in the new, all-digital Mobile Device Backup issue of InformationWeek: Take advantage of advances that simplify the process of backing up virtual machines. (Free with registration.)