Smartphone Security: You'll Never Guess Who Just Messaged You

06 Apr 2018

What if you could receive an SMS (or perhaps iMessage) from your friend, only to find out later that it wasn’t really from your friend at all? After working with the contacts framework on iOS, I was surprised to find that this is a very real possibility.

Disclaimer: it should go without saying, but please don’t use the below method for any untoward means. Both Apple and Google have been notified of the issue (the same attack may be feasible on Android devices too). I haven’t included source code, however implementing this would be a straight forward task.

The Attack

You are a tech savvy smartphone user, and you receive a message from a known contact, perhaps even a family member. Unknown to you, this message is actually from an attacker, and might contain a phishing link, question, or action that you would never consider taking from a stranger… but from a trusted contact this concern is all but gone.

Message from an Impersonated Contact

Messaging backward and forward is also possible. You can reply to the (presumed) trusted contact, and a reply will be returned… from the attacker. Meanwhile, the impersonated contact will have no idea this is happening.

Reply from an Impersonated Contact

After (or even if) you realise what has happened, you might not guess how. Perhaps you’d assume it is the sender’s device that was ‘hacked’. In actual fact, the real cause might be long gone from your device… an app you uninstalled months ago, potentially even one no longer available on the App Store.

How Did This Happen?

On closer inspection, the ‘trusted’ contact has an extra number assigned to their contact card. It is this number that was facilitating the message exchange between the attacker and target user.

At some point in the past - perhaps even months or years ago - you installed an app. The app may have performed its function well, doing what it claimed to. Alongside these things, the app did the following:

Ask you to provide your phone number during the setup process (perhaps for two factor authentication)
Ask for permission to access your contacts

Both of these are reasonably common app behaviors. As long as the app’s functionality warranted accessing this information, many users wouldn’t think twice. Meanwhile, underneath the pretense of providing real functionality, the app has selected target contact(s), silently adding an additional phone number. Your phone number, along with target contact data, is sent to an attacker - who stores this information for use at a later date.

Contact Permission Dialogue

All the attacker needs to do now is send you a message, from one of the numbers silently added to a trusted contact entry. Your device will display this as a message from the matching trusted contact… it knows no better. For even greater effect, the app could apply heuristics when selecting target contacts, preferring names such as ‘Dad’ and ‘Mom’, or contacts that have nicknames.

How This Could Be Resolved

iOS currently specifies just one contact permission, granting both read and write access. At the least, separating these permissions would seem sensible. Recording what application makes each edit would also be sensible, potentially allowing some sort of reversal or blacklist to be applied to maliciously edited numbers.

A great solution would be to do all of these things, alongside providing a UI signal when a message is received from an app-edited number for the first time.

What Should You Do?

Allowing apps access to your contacts means placing a great deal of trust in the app. Before granting permission, make sure that you are happy with them having complete read and write access to your address book… small apps from unrecognized publishers probably don’t fit that description. Large, branded apps are less likely to perform the described malicious behaviour (I’m sure it would be illegal in some manner).

As previously mentioned, both Apple and Google have been notified of the issue. Google marked the issue as ‘infeasible’, and Apple have indicated that they expect this sort of behaviour to be caught in the app review process. Despite the best intentions of catching this kind of malicious behavior during an app review, the app might only activate the behavior after a certain date, allowing it to pass through a review without issue.

For now, the best advice I can give is to make sure that you don’t allow apps access to your contacts unless they are from a trusted, named publisher.