An application known as “SMS touch” constitutes a veritable security and privacy nightmare for iOS users.
SMS touch is an application that allows users to send SMS text messages to any mobile device across 820 networks in 220+ countries for just 9 euro cents. That’s a fraction of what other mobile carriers would charge for an international SMS text.
The program works on iPhone and iPod touch, which means users can send SMS messages through the app if they don’t even have a cellular plan. All they need is Wi-Fi, and they’re good to go.
Pretty nifty, right?
Unfortunately, “nifty” comes at the cost of users’ privacy and security for this application.
When they first download the app, SMS touch prompts the user to enter in a username and email address. The program sends this information to its server, which responds with a PIN for the user to enter whenever they log in.
There’s just one problem: these server requests take place in cleartext, meaning an attacker could easily spoof a user’s email address, password, and/or PIN to gain access to their account.
That’s not all. It gets worse. As Zscaler’s Viral Gandhi explains in a blog post:
“Once the user clicks ‘Send,’ the app also sends the SMS content to the server over a cleartext network channel…. Many users send sensitive information over SMS…. This data can easily be accessed by an outsider simply tapping in to the application’s network. We witnessed such a transaction in the Zscaler cloud with a user of this app. See below.”
Zscaler subsequently reached out to the developers of SMS touch. They acknowledged the vulnerability and said they’ll release a fix…by the end of 2017.
This isn’t the first iOS app that’s threatened users’ privacy and security, and it certainly won’t be the last. With that said, iOS users should in most cases download apps from only trusted developers on Apple’s App Store. If they don’t recognize a developer, they should research them and read the reviews of a particular app before they proceed with installation.
This is pretty common among VoIP apps, SRTP, TLS and Secure Signalling are seldom implemented.