undefined | Better HN

0 pointsaroman4y ago0 comments

And it has spam problems: https://www.wired.com/2014/08/apples-imessage-is-being-taken...

The problem is authenticity and authority, not encryption. How can the user know this message really came from Apple and not a spammer?

0 comments

simondotau4y ago

That article is seven years old and in no way reflects current reality. In fact it has never reflected my own experience or that of anyone I know, where iMessage spam has been near enough to non-existent.

And even if there were a spam problem, the risk is mostly on the upside anyway. It would only be an issue if iMessage got a reputation for flooding people with admonishments to take security seriously, purportedly from Apple.

rjzzleep4y ago

Meanwhile apple has added iMessage apps[1], that you can add to your iMessage and there recently were a few iMessage exploits including a zero-click one[2].

[1] https://support.apple.com/en-us/HT206906

[2] https://9to5mac.com/2021/07/19/zero-click-imessage-exploit/

simondotau4y ago

I think you have replied to the wrong person, otherwise I fail to see how either of these citations are in any way relevant.

rjzzleep4y ago

Yeah I did, sorry.

aromanOP4y ago

> That article is seven years old and in no way reflects current reality. In fact it has never reflected my own experience or that of anyone I know, where iMessage spam has been near enough to non-existent.

Your anecdotal lived experience is not representative of the entire population.

I personally have encountered at least a dozen spam iMessages (not SMS) in the past year, and several friends of mine have described the same experience. I googled iMessage spam and this was on the second page, just from last year: https://thisrupt.co/lifestyle/imessage-spam-not-thai-chana/ Feel free to research yourself to discover that it is in fact a widespread issue for many people, if not as widespread as it once was since the "Unknown sender" tab was introduced.

Regardless, SMS spam remains an issue, and on iOS, many users may not know the difference, as they're in the same app.

> And even if there were a spam problem, the risk is mostly on the upside anyway. It would only be an issue if iMessage got a reputation for flooding people with admonishments to take security seriously, purportedly from Apple.

You're missing the point. iMessage spam (though it does exist as I've shown above) is not the problem. The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender. This deficiency is what enables iMessage spam, and creates the same potential for abuse with this new feature.

simondotau4y ago

> Your anecdotal lived experience is not representative of the entire population.

Of course. That goes without saying. But neither you nor this person you cherry picked from a Google search is representative either. (And it's noteworthy that you had to drill down into Google search results in order to find a useful citation. That alone is evidence of iMessage spam not being a broadly pervasive issue.)

> You're missing the point. iMessage spam (though it does exist as I've shown above)

Huh? I never said it didn't exist.

> is not the problem.

Huh? I never said it was the problem.

> The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender.

I completely agree. I never disputed that.

dillondoyle4y ago

Yes thank you. this was the concern i was trying - seems like failed - to express.

There was even an article on HN a couple days ago about a money transfer service phishing scam whose initial message looks very similar to this message from Apple.

I think a LOT of people will fall for phishing with cold messages that look like this

natch4y ago

>How can the user know

Read the document of the original top post (the document from Apple).

The answer to your question is right there in the document.

aromanOP4y ago

That does nothing to verify authenticity within iMessage itself, creating the opportunity for abuse and impersonation I outlined in my other comment in this thread. A simple solution to this problem would be a "verified" indicator for users to know that the iMessage did in fact originate from Apple, without them having to first know that such a support document exists.

natch4y ago

Some of these scam messages, being tailored to individuals and not necessarily sent in bulk, do in fact come from technically valid Apple IDs that have been created for the purpose by the scammer. So they would show your little verified indicator just fine, so it doesn’t help.

And they did post the solution in the document. It’s an out of band verification. Pretty tried and true solution.

hibbelig4y ago

The use goes to the Apple ID website to confirm. Then they know if the message was genuine.

j / k navigate · click thread line to collapse

0 comments

simondotau4y ago

rjzzleep4y ago

Meanwhile apple has added iMessage apps[1], that you can add to your iMessage and there recently were a few iMessage exploits including a zero-click one[2].

[1] https://support.apple.com/en-us/HT206906

[2] https://9to5mac.com/2021/07/19/zero-click-imessage-exploit/

simondotau4y ago

I think you have replied to the wrong person, otherwise I fail to see how either of these citations are in any way relevant.

rjzzleep4y ago

Yeah I did, sorry.

aromanOP4y ago

Your anecdotal lived experience is not representative of the entire population.

Regardless, SMS spam remains an issue, and on iOS, many users may not know the difference, as they're in the same app.

simondotau4y ago

> Your anecdotal lived experience is not representative of the entire population.

> You're missing the point. iMessage spam (though it does exist as I've shown above)

Huh? I never said it didn't exist.

> is not the problem.

Huh? I never said it was the problem.

> The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender.

I completely agree. I never disputed that.

dillondoyle4y ago

Yes thank you. this was the concern i was trying - seems like failed - to express.

There was even an article on HN a couple days ago about a money transfer service phishing scam whose initial message looks very similar to this message from Apple.

I think a LOT of people will fall for phishing with cold messages that look like this

natch4y ago

>How can the user know

Read the document of the original top post (the document from Apple).

The answer to your question is right there in the document.

aromanOP4y ago

natch4y ago

And they did post the solution in the document. It’s an out of band verification. Pretty tried and true solution.

hibbelig4y ago

The use goes to the Apple ID website to confirm. Then they know if the message was genuine.

j / k navigate · click thread line to collapse