The bug, unearthed by researcher pod2g, essentially allows hackers to spoof the reply-to number in a text message. Doing this could let unsavory types send messages that appear to come from one entity (such as your bank), but that direct the responses elsewhere. The security researcher warned that such spoofing could be used to trick iPhone users into revealing personal information via text message that could then be used to gain access to personal accounts.
"Historically, the 'reply-address' field was introduced to allow users to reply to texts which were 'broadcast' from information agencies or marketing firms," said Cathal McDaid, security consultant at AdaptiveMobile. "These broadcast systems may not be capable of receiving messages, so this system allows for more interaction."
[ Should Apple be focusing more on security? Read Apple Security Talk Suggests iOS Limits. ]
AdaptiveMobile says that most handsets now ignore this quirk in the system and treat the reply-address field correctly. Its research confirms this to be true with Google's Android, RIM's BlackBerry, Nokia's Symbian, and Microsoft's Windows Mobile platforms.
"Apple has left a significant vulnerability in its handsets [that] could allow consumers to be fooled and hand over personal details to hackers and criminals," noted McDaid. "This reinforces the importance of handset manufacturers, operators, and security providers collaborating and helping to keep SMS as a secure, reliable, and trusted channel."
Apple responded to the issue, but didn't offer much of a fix.
"Apple takes security very seriously," said Apple in a statement. "When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS."
In other words, Apple suggests that users concerned with the security of their smartphone should trust iMessage instead of SMS. iMessage is available only on the iPhone, iPad, iPod Touch, and Apple computers.
Apple has not indicated if it plans to fix the security hole.
Android and Apple devices make backup a challenge for IT. Look to smart policy, cloud services, and MDM for answers. Also in the new, all-digital Mobile Device Backup issue of InformationWeek: Take advantage of advances that simplify the process of backing up virtual machines. (Free with registration.)