SMS touch a security and privacy nightmare for iOS users

Plaintext data transmissions make $1.99 app a spoofer’s delight…

SMS touch a security and privacy nightmare for iOS users

An application known as "SMS touch" constitutes a veritable security and privacy nightmare for iOS users.

SMS touch is an application that allows users to send SMS text messages to any mobile device across 820 networks in 220+ countries for just 9 euro cents. That's a fraction of what other mobile carriers would charge for an international SMS text.

The program works on iPhone and iPod touch, which means users can send SMS messages through the app if they don't even have a cellular plan. All they need is Wi-Fi, and they're good to go.

Icon 1

iTunes page for SMS touch

Pretty nifty, right?

Unfortunately, "nifty" comes at the cost of users' privacy and security for this application.

When they first download the app, SMS touch prompts the user to enter in a username and email address. The program sends this information to its server, which responds with a PIN for the user to enter whenever they log in.

There's just one problem: these server requests take place in cleartext, meaning an attacker could easily spoof a user's email address, password, and/or PIN to gain access to their account.

That's not all. It gets worse. As Zscaler's Viral Gandhi explains in a blog post:

"Once the user clicks 'Send,' the app also sends the SMS content to the server over a cleartext network channel.... Many users send sensitive information over SMS.... This data can easily be accessed by an outsider simply tapping in to the application’s network. We witnessed such a transaction in the Zscaler cloud with a user of this app. See below."

Screen shot 2017 08 10 at 9.02.07 am

SMS information sent in cleartext, observable in the Zscaler cloud. (Source: Zscaler)

Zscaler subsequently reached out to the developers of SMS touch. They acknowledged the vulnerability and said they'll release a fix...by the end of 2017.

This isn't the first iOS app that's threatened users' privacy and security, and it certainly won't be the last. With that said, iOS users should in most cases download apps from only trusted developers on Apple's App Store. If they don't recognize a developer, they should research them and read the reviews of a particular app before they proceed with installation.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

One Response

  1. Kas

    August 11, 2017 at 10:08 am #

    This is pretty common among VoIP apps, SRTP, TLS and Secure Signalling are seldom implemented.

Leave a Reply