back to article Apple iMessage URLs ship OS, device, and IP data to sites, dev says

British developer Ross McKillop says Apple's implementation of URL previews leaks users' IP address and operating system information to websites. The leakage might be a boon to spammers, who could use the operating system information and IP address data to better hone their attacks. Links subject to previews, which displays …

  1. Andrew Jones 2

    There's a sane security reason usually a server is involved in actually generating the preview, especially when it comes to grabbing the og:image resource. I can't believe that they pushed out a product with such a blatant attack vector. Isn't there a security rule about not trusting 3rd party content by default etc? "Let's just take whatever information we get back from the a 3rd party site, parse it and display it" What could possibly go wrong........ I don't have an iDevice to test it - but obviously the first thing anyone should test (bearing in mind Safari is the renderer) would be embedding javascript into the og:description field and see what happens when iMessage tries to preview the URL

    1. albaleo

      "Isn't there a security rule about not trusting 3rd party content by default etc?"

      But doesn't that happen all the time with images, iframes, etc. from third party sites? Genuine question. I don't like the idea of url previews. But is a server generating a preview image not also susceptible to attack in the same way? Does it not just come down to the code that handles the response?

      1. Anonymous Coward
        Anonymous Coward

        Does it not just come down to the code that handles the response?

        It does, but you start by not getting yourself in a position where you are depending on code being clean - security is multi-layered and starts with good fundamentals. I agree with the OP that this is the sort of user friendliness that could have done with a bit more upfront thinking.

        This preview (like ANY preview since the day the concept was invented, really) should have been made optional, also because it has the potential to harm privacy.

        I must admit I'm getting worried about Apple insofar that their new boss seems to be susceptible to that featuritis virus that has infested Microsoft products from day 1. In Microsoft's case I can understand it because they were in need of a constant supply of features to sell updates (even if they had to make sh*t up to make it appear "new"), but Apple's strength was precisely its simplicity - sometimes maddeningly so.

        The new iOS 10 is a good hint that not all is well - the most important function of the device (logging in) now requires TWO actions unless you're into fingerprints and if you're honest you have to admit that the "new" in iOS 10 is of precious little true benefit.

        The is unless, of course, the ability to draw smiley faces in an iMessage is of vital importance to you...

    2. Naselus

      "Isn't there a security rule about not trusting 3rd party content by default etc?"

      In the real world, yes, but Apple's approach to security doesn't follow most of the other accepted security rules either.

      Apple's security is of the 'walled garden' variety in most respects - it assumes that Apple will have a large degree of control over all interactions that occur on Apple-made devices, that Apple developers are by definition the smartest people on the planet and cannot be out-witted by anyone else, and that revealing the existence of open security vulnerabilities (even without details) should be forbidden until after they have been patched (hence why until very recently their reaction to someone point out a bug was to try and sue them instead of handing them a bug bounty). They also assume that security is secondary to ease of use, and that there's no point attempting to teach the user even rudimentary security practices (Apple's contempt for it's user base's intelligence and attention span is staggering - which would be terrible if most people who've met Apple fans didn't quickly develop the same feeling).

      These are all considered extremely bad practice in general IT security but are cornerstones of Apple's philosophy. That's why, despite them doing a good job within their own assumptions, Eugene Kaspersky described Apple's security as 'decades' behind Linux or Microsoft a couple of years ago - not because of individual security issues, but because their approach is considered to be conceptually flawed at a fundamental level. Almost all of Apple's major security breaches over the last few years (Like the iCloud hack, for example) were due to these flawed assumptions rather than any fault in the tech itself, and Apple usually needs someone to drive a bus through a gaping security hole before they're willing to change it.

      It's a bit like if Apple had the best technology for building castle gates in the world, but then don't teach the guards to lock them at night. They have access to - and include - great security technology... but then they use it in an insecure manner, usually running on the assumption 'well, no-one would use that anyway' when a weakness in to their philosophy is discovered.

  2. fidodogbreath

    Pardon my ignorance...

    ...but do iPhone users have to use iMessage for SMS?

    On Android, there are scads of messaging apps to choose from. I remember reading in the early iPhone days that devs were not allowed to publish apps that had the same functionality as Apple's built-in apps. Does that restriction still exist?

    1. Anonymous Coward
      Anonymous Coward

      Re: Pardon my ignorance...

      but do iPhone users have to use iMessage for SMS?

      It's dual function, and you have admittedly not that much control over what it does. If you send an SMS to someone who the iPhone by some mechanism knows to have iMessage (usually because you've marked their number as "iPhone") it'll try sending an iMessage first. If that fails it converts to SMS (and you can force that while it's still trying) which has weird consequences for any non-text item such as images. In other words, it's hard work sending a genuine SMS to someone who is reachable via iMessage. If it doesn't find a data route to the recipient it'll send an SMS.

      In summary, it's automatic to a degree that I don't feel to be massively in control over what it decides..

      On the plus side, the iMessage/SMS subsystem cannot be subverted by software - it always demands user interaction. The disadvantage is that that makes encrypted SMS impossible (available on Android), but on the plus side you'll never have software texting to premium rate numbers without your knowledge either. Twelve on one side, a dozen on the other..

    2. paulf
      Gimp

      Re: Pardon my ignorance...

      @fidodogbreath "Pardon my ignorance... ...but do iPhone users have to use iMessage for SMS?"

      Simple answer is No. You can turn off iMessage which defaults everything to SMS/MMS which your mobile network charges for accordingly. Only downside is they haven't implemented SMS delivery reports - read reports are only available if you use iMessage.

      If you turn on iMessage the iPhone will attempt to use iMessage for everything it can, only dropping back to SMS/MMS where the recipient doesn't have an iPhone*, has an iPhone with iMessage turned off* or there's no data connection.

      In my case I leave iMessage off - SMS for text, then use email if I want to send pics. If GCHQ really think my ramblings are worth intercepting they can go to a court in the UK to get permission wiretap my carrier rather than asking the NSA to do it for them via Apple's servers.

      *I think the iPhone queries Apple's servers to check if the recipient has an iPhone and is/isn't using iMessage. I suspect this is how the phone determines if a contact can receive a Facetime connection also.

    3. Anonymous Coward
      Anonymous Coward

      Re: Pardon my ignorance...

      fidodogbreath, short answer is yes. Like pretty much everything on there, you'll use Apple's app on Apple's phone and you'll love it, or else.

  3. Velv
    Gimp

    With no way to turn it off, and previews presumably using up data, I predict a class action lawsuit -"you used up all my data allowance, I want $50billion"

    Oh, and there's a security risk the real people should take note of.

    1. Timo

      iMessage was a way around expensive SMS

      At the time that iMessage came out sending messages over the data connection was much cheaper than sending them by SMS for 10 cents apiece, and was a way for Apple to gain control over the wireless operators. Now that SMS is dirt cheap and data is capped the equation may be different.

      1. Andrew Jones 2

        Re: iMessage was a way around expensive SMS

        The thing I have never managed to get my head around - this thing where people have group chats on iMessage where some recipients are other iMessage users and some are not iMessage users. This means that messages get sent to the non iMessage users as MMS and that replies from that user come in via MMS as well. Now the bit I don't get - is how the hell do people afford that?

        Back when iMessage launched as you say - SMS was expensive enough (it was 10p in the UK - I THINK it was after the SMS price war where it was 10p to text someone on the same network as you and anything from 12p - 25p to text someone on a different network) but MMS generally runs anything from 30p - 50p even these days (which I still don't understand, a single MMS message has a data cap of 300KB, and that's all it is some data, so when you total up how much 1GB of real internet data costs - compared to how few 300KB MMS messages you can send for the same price.......)

  4. My other car is a Stryker LAV

    So glad I rolled the missus' phone back to 9.3.5 without the iMessage preview (or any of the other "new" stuff that bothered her).

    For some reason, although mine is usually the first to update, it didn't care until a day later, and is still waiting. (Ha! Not gonna' let you update iOS this time!)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like