SMS touch a security and privacy nightmare for iOS users

Plaintext data transmissions make $1.99 app a spoofer’s delight…

David bisson
David Bisson

SMS touch a security and privacy nightmare for iOS users

An application known as “SMS touch” constitutes a veritable security and privacy nightmare for iOS users.

SMS touch is an application that allows users to send SMS text messages to any mobile device across 820 networks in 220+ countries for just 9 euro cents. That’s a fraction of what other mobile carriers would charge for an international SMS text.

The program works on iPhone and iPod touch, which means users can send SMS messages through the app if they don’t even have a cellular plan. All they need is Wi-Fi, and they’re good to go.

Sign up to our free newsletter.
Security news, advice, and tips.
Icon 1
iTunes page for SMS touch

Pretty nifty, right?

Unfortunately, “nifty” comes at the cost of users’ privacy and security for this application.

When they first download the app, SMS touch prompts the user to enter in a username and email address. The program sends this information to its server, which responds with a PIN for the user to enter whenever they log in.

There’s just one problem: these server requests take place in cleartext, meaning an attacker could easily spoof a user’s email address, password, and/or PIN to gain access to their account.

That’s not all. It gets worse. As Zscaler’s Viral Gandhi explains in a blog post:

“Once the user clicks ‘Send,’ the app also sends the SMS content to the server over a cleartext network channel…. Many users send sensitive information over SMS…. This data can easily be accessed by an outsider simply tapping in to the application’s network. We witnessed such a transaction in the Zscaler cloud with a user of this app. See below.”

Screen shot 2017 08 10 at 9.02.07 am
SMS information sent in cleartext, observable in the Zscaler cloud. (Source: Zscaler)

Zscaler subsequently reached out to the developers of SMS touch. They acknowledged the vulnerability and said they’ll release a fix…by the end of 2017.

This isn’t the first iOS app that’s threatened users’ privacy and security, and it certainly won’t be the last. With that said, iOS users should in most cases download apps from only trusted developers on Apple’s App Store. If they don’t recognize a developer, they should research them and read the reviews of a particular app before they proceed with installation.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “SMS touch a security and privacy nightmare for iOS users”

  1. Kas

    This is pretty common among VoIP apps, SRTP, TLS and Secure Signalling are seldom implemented.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.