considdering i've got quite a few friends that can't do iMessage, what should we do to text them?
Email, IMs, or you could just call them. Bottom line, this isn't an iPhone issue so Apple's response is just pimp their own services. This is all expected behaviour.
Why does everyone keep saying it's general SMS problem? It's apple's implementation that is insecure. Other phones do not interpret 'reply-to' as 'from' field.
EDIT: And it does affect other phones. From MacWorld
Quote:
In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of websites offer SMS spoofing as a service, one that isn’t limited to Apple’s handsets. The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn’t show the original address.
So it isn't something that is specific to the iPhone but rather to the nature of SMS itself. SMS is prone to spoofing.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Hopefully the final version of iOS 6 will fix this issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple to do this.
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Apple suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.
I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all. I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from. It is the reply-to address, not who it is from. The mail clients I have worked with show reply-to differently than the from.
I am not sure if the iPhone has done this since its release in 2007. If they have, it shows this WAS a minor problem until now. Now that it is a very public issue, the spammers will jump on it. If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic. That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue. Not that iMessage WAS the fix.
Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.
Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)
The headline should read more along the lines of "ALL SMS capable phones are vulnerable to spoofed SMS headers due to the SMS specification and a lack of security checks by ALL carriers - only Apple iOS and Mountain Lion offer a secure alternative called iMessage which does include security protocols to block such insecure communications" of course that is too long to work as a 10 second sound bite.
I find it odd that the service is called iMessage - but the app is named Messages in Mountain Lion - why not call the app iMessage?
Regarding emails, despite the obvious lack of security verification of header information, some services (Yahoo) even make is easy to change your reply to address. Now I am sure there are plenty of legitimate reasons to do so and spammers etc would get around it even if there was no easy user interface way to set your reply to differently that your actual email address - but I have seen a couple of windows makes where their Yahoo reply to and or Vacation auto response got changed by some malicious website code or something - and caused a bunch of trouble. Of course these are users who end up with 12 IE toolbars installed and call me claiming "my computer stopped working" in cases where one web site will not load or they accidentally hit the WiFi off button.
This IS an Apple/iPhone issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Hopefully the final version of iOS 6 will fix this issue.
This is absolutely false. You can also spoof the 'from' field: http://www.youspoof.info/textSpoofing.html
"For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""
or: http://spoofsms.net
"You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."
Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.
The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.
The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.
Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.
I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all. I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from. It is the reply-to address, not who it is from. The mail clients I have worked with show reply-to differently than the from.
I am not sure if the iPhone has done this since its release in 2007. If they have, it shows this WAS a minor problem until now. Now that it is a very public issue, the spammers will jump on it. If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic. That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue. Not that iMessage WAS the fix.
Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.
As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.
I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.
Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.
I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all. I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from. It is the reply-to address, not who it is from. The mail clients I have worked with show reply-to differently than the from.
I am not sure if the iPhone has done this since its release in 2007. If they have, it shows this WAS a minor problem until now. Now that it is a very public issue, the spammers will jump on it. If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic. That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue. Not that iMessage WAS the fix.
Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.
As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.
I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.
It's not completely false; while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.
A proprierity technology, no matter how good, is not a suitable replacement for an open obiqiutous standard.
Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.
That's undoubtedly true.
The problem is that Apple has no control over the standard - they only control their own OS. So they have two options:
1. "We can't fix the problem because it's a problem with the standard itself so we're doing nothing"
or
2. "We can't fix the problem because it's a problem with the standard itself, but we can provide at least some level of security for people who use our products".
Clearly, Apple thinks the second option is the better one.
I agree completely that it's not the BEST solution - which would involve fixing the standard itself, but Apple can't do that, so they have to fall back to the best solution that's available to them.
Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.
I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.
Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.
I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.
This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.
And I, in return, am going to urge Apple to get iMessages working as consistently as text messages. It's really frustrating when you sit there staring at a message trying to go out for a full 2 minutes before it times out and suggests you send it as an text message, which then goes off without a hitch.
I love the concept of iMessages, but damn, get the thing working already.
This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.
OK - that may be true, but what the hacker actually said was:
The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.
He, and others seem to be arguing that of the current smartphone operating systems, only iOS displays the "Reply-To" field, but I guess that he does not explicitly state that anywhere.
I agree that the issue as a whole is overblown, and, in particular, that the distinction between reply-to spoofing and from spoofing is overblown.
And what do you propose as workaround for this that actually addresses the problem other than using iMessage or similar services?
The only workaround is for other companies to do what Apple does with iMessage - and use the optional fields so that they can mark potentially spoofed messages. Unfortunately, that's entirely outside of Apple's control.
I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.
That's a foolish distinction. There's no difference in the difficulty of spoofing 'reply to' and 'from' fields. If anything, it further reinforces Apple's advantage. If a hacker is going to spoof a field, they're more likely to spoof the 'from' field since that's what most phones use. So, by your own logic, iOS is BETTER than other phone operating systems.
In fact, the links I provided above confirm that. Most of the third party 'anonymizer' sites talk about SMS spoofing, they are all spoofing the 'from' field, not the 'reply to' field. So iOS would not be spoofed while the majority of phones would be.
So why is it that the first 26 hits on a search for 'sms spoof' are all about iOS?
My guess is that the guy who started this didn't realize that you could spoof both 'from' and 'reply to' fields and thought he had discovered a real vulnerability with iOS.
Comments
considdering i've got quite a few friends that can't do iMessage, what should we do to text them?
Email, IMs, or you could just call them. Bottom line, this isn't an iPhone issue so Apple's response is just pimp their own services. This is all expected behaviour.
Why does everyone keep saying it's general SMS problem? It's apple's implementation that is insecure. Other phones do not interpret 'reply-to' as 'from' field.
Quote:
Originally Posted by dsk
Why does everyone keep saying it's general SMS problem?
#next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }It's the SMS specification. Something that Apple has no control over.
#next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
EDIT: And it does affect other phones. From MacWorld
Quote:
In fairness, the iPhone is not the only handset vulnerable to SMS spoofing. Plenty of websites offer SMS spoofing as a service, one that isn’t limited to Apple’s handsets. The main issues seem to be that some phones, including the iPhone, are compatible with the UDH indicator that allows for alternative reply-to addresses, and that the iPhone in particular doesn’t show the original address.
So it isn't something that is specific to the iPhone but rather to the nature of SMS itself. SMS is prone to spoofing.
#next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple. (Other phones may do this, too, but that's completely besides the point - it's entirely up to the software developer.)
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Anyone suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Hopefully the final version of iOS 6 will fix this issue.
Quote:
Originally Posted by JohnnyW2001
This IS an Apple/iPhone issue.
There's a lot of weird misinformation in this thread, so let me clear it up: When you send an SMS message, you have two fields. FROM and REPLY-TO. You can only alter the REPLY-TO, and not FROM. The problem is that the iPhone hides the FROM (which is correct) and replaces it with the REPLY-TO field if it's present. It's a really dumb thing to do, and it's entirely a decision by Apple to do this.
Also, it's not a "vulnerability" in the SMS system, as the REPLY-TO field is designed to filled with whatever the user wants... but it's known that this information could be false, so it's supposed to be used as a request by the sender. As in, "Yes, I know this message was sent from X, but it would be better for me if you replied to Y. Thanks".
Apple suggesting everyone use iMessage is beyond idiotic for all the obvious reasons people have pointed out. A simple tweak to iOS so that messages are only ever seen to be coming from the FROM field would fix the issue.
Uh oh....You explained the situation perfectly but called Apple idiotic. That's all most people on this forum will see.
I will add that with all the analogies drawn to SMTP, it doesn't work like the iPhone at all. I don't believe most (or any) mail clients worth mentioning show the "reply-to" address as who the message is from. It is the reply-to address, not who it is from. The mail clients I have worked with show reply-to differently than the from.
I am not sure if the iPhone has done this since its release in 2007. If they have, it shows this WAS a minor problem until now. Now that it is a very public issue, the spammers will jump on it. If Apple doesn't address it quickly and just counts on iMessage to be the fix, that would be idiotic. That said, I took their statement on iMessage to be an interim solution until they get a patch out to fix the SMS issue. Not that iMessage WAS the fix.
Maybe that is just giving them the benefit of the doubt, but usually Apple patches these issues that reach the public eye quickly.
deleted - dupe
Quote:
Originally Posted by nagromme
Are other smartphones immune from this SMS issue? Is it iPhone-specific? (Some statements imply that this is not an iPhone issue at all, just a carrier issue.)
The headline should read more along the lines of "ALL SMS capable phones are vulnerable to spoofed SMS headers due to the SMS specification and a lack of security checks by ALL carriers - only Apple iOS and Mountain Lion offer a secure alternative called iMessage which does include security protocols to block such insecure communications" of course that is too long to work as a 10 second sound bite.
I find it odd that the service is called iMessage - but the app is named Messages in Mountain Lion - why not call the app iMessage?
Regarding emails, despite the obvious lack of security verification of header information, some services (Yahoo) even make is easy to change your reply to address. Now I am sure there are plenty of legitimate reasons to do so and spammers etc would get around it even if there was no easy user interface way to set your reply to differently that your actual email address - but I have seen a couple of windows makes where their Yahoo reply to and or Vacation auto response got changed by some malicious website code or something - and caused a bunch of trouble. Of course these are users who end up with 12 IE toolbars installed and call me claiming "my computer stopped working" in cases where one web site will not load or they accidentally hit the WiFi off button.
This is absolutely false. You can also spoof the 'from' field:
http://www.youspoof.info/textSpoofing.html
"For example the sender could specify that the recipient's caller ID shows an incoming message is from "The Pope" and the text message reads "Repent!""
or:
http://spoofsms.net
"You can put ANY mobile number or alphanumeric character in the "From" field when sending a message."
Please stop spreading lies. It's bad enough when all the usual trolls here spread FUD, but you created a new account specifically to post something that's totally false? That's really sad.
The fact is that there's nothing at all in this that is iOS specific and it can affect EVERY SMS user. The only exception is if you're using iOS and iMessage, you have some warning.
The really amazing thing is that even though this flaw affects everyone, if you search for 'sms spoof', you have to get near the end of the third page before you find even a single hit that doesn't present it as an iOS flaw.
Whilst there's no solution to this issue, there's certainly wokrarounds that Apple could implement.
As shown above, that is completely false. It is not in the least specific to iOS - other than iOS users at least have the potential to get a warning.
I'm still waiting for you or someone else to show how Apple can solve this problem. It affects all phones (as shown by the above sites - one of which specifically mentions Android). So how do you propose that Apple 'fix' the problem - especially since the vast majority of phones out there are not Apple phones.
It's not completely false; while all phones are vulnerable to spoofing the "From" field, the issue here is that iOS is also vulnerable to spoofing the "Reply-To" field.
Whether that actually matters - for example if it is easier to spoof the "Reply-To" field than the "From" field then that could make it a bigger problem for iOS - does not seem to have been established.
Apple clearly could change the way iOS handles and uses the "Reply-To" field, but it would only defeat one of those spoofing methods.
Yes, it's completely false. The person I was responding to said that the 'from' field could not be spoofed and since Apple only relied on the 'reply to' field, that made Apple uniquely vulnerable. His statements were 100% false - as I showed.
You're wrong, as well. You can spoof any field in SMS and any phone is vulnerable to such spoofing. There is absolutely nothing unique about iOS in this regard - except that iOS has at least a partial solution while no other mobile OS does.
That's undoubtedly true.
The problem is that Apple has no control over the standard - they only control their own OS. So they have two options:
1. "We can't fix the problem because it's a problem with the standard itself so we're doing nothing"
or
2. "We can't fix the problem because it's a problem with the standard itself, but we can provide at least some level of security for people who use our products".
Clearly, Apple thinks the second option is the better one.
I agree completely that it's not the BEST solution - which would involve fixing the standard itself, but Apple can't do that, so they have to fall back to the best solution that's available to them.
I don't think we really disagree on much here, but you are still not strictly correct, and I'm not clear what I wrote that was wrong. There is a unique aspect to iOS - that, unlike all (?) other phones, it uses the "Reply-To" field (when present) instead of the "From" field, and so only iOS is vulnerable to "Reply-To" spoofing. However, I think that is probably irrelevant since, as you have pointed out, the "From" field can also be spoofed, and so it would only be a significant added vulnerability if it were easier to spoof the "Reply-To" field.
This is not only common to iOS, that field predates the iPhone, and many phones have been vulnerable to that for a very long time. The "hacker" himself stated that this affected more than just iOS. I remember playing around with this particular issue as early as 2004, probably even before that, as the high-end Nokias and Siemenses already supported those fields. This issue is overblown, there is no real solution for it, and to blame a single vendor rather than the standard for it is retarded. Even if you start showing the sender field, that doesn't guarantee anything because that field is alphanumeric too and controlled by the sender.
And I, in return, am going to urge Apple to get iMessages working as consistently as text messages. It's really frustrating when you sit there staring at a message trying to go out for a full 2 minutes before it times out and suggests you send it as an text message, which then goes off without a hitch.
I love the concept of iMessages, but damn, get the thing working already.
And what do you propose as workaround for this that actually addresses the problem other than using iMessage or similar services?
OK - that may be true, but what the hacker actually said was:
He, and others seem to be arguing that of the current smartphone operating systems, only iOS displays the "Reply-To" field, but I guess that he does not explicitly state that anywhere.
I agree that the issue as a whole is overblown, and, in particular, that the distinction between reply-to spoofing and from spoofing is overblown.
The only workaround is for other companies to do what Apple does with iMessage - and use the optional fields so that they can mark potentially spoofed messages. Unfortunately, that's entirely outside of Apple's control.
That's a foolish distinction. There's no difference in the difficulty of spoofing 'reply to' and 'from' fields. If anything, it further reinforces Apple's advantage. If a hacker is going to spoof a field, they're more likely to spoof the 'from' field since that's what most phones use. So, by your own logic, iOS is BETTER than other phone operating systems.
In fact, the links I provided above confirm that. Most of the third party 'anonymizer' sites talk about SMS spoofing, they are all spoofing the 'from' field, not the 'reply to' field. So iOS would not be spoofed while the majority of phones would be.
So why is it that the first 26 hits on a search for 'sms spoof' are all about iOS?
My guess is that the guy who started this didn't realize that you could spoof both 'from' and 'reply to' fields and thought he had discovered a real vulnerability with iOS.