iPhone 2.1 Bug Watch: SMS Security and Mail Phishing/Spamming
Reader Karl writes in to let us know his twelve year old son discovered a glitch in SMS security:
Being security conscious he turned on the passcode lock and disabled SMS Preview. [...] If a message is received during the passcode entry or while the screen is locked, a generic message of “New Text Message” appears, to prevent viewing of messages without unlocking the phone. [...] If however the phone is placed in emergency call mode, any incoming SMS messages are previewed instead of presented as the generic messages.
Next comes two issues concerning the implementation choices Apple made in the iPhone Mobile Mail client. According to Ars Technica, as disclosed by Aviv Raff, the first involves the way Mail truncates URLs for display on the iPhone. If a malicious URL is properly crafted by an attacker, the truncation can cause a fake URL to be non-obvious to the users, and thus more likely to result in phishing.
The second results from the lack of an option to display images in the full HTML Mobile Mail client. Since images are automatically displayed, spammers can gain confirmation that the email account that received it is active and ripe for spam attack.
As always, malicious attacks evolve and propagate at an alarming rate, and while we hope Apple fixes these immediately if not sooner, the onus is ultimately and always on we end users to pay attention and do everything we can to avoid them.