iOS 11 now allows you to send incoming SMS messages through third-party filters, just like spam processing in email programs. The good ones are filtered into your main Messages view, while the bad ones land in a separate tab.
This is the fourth time Apple has layered spam- and abuse-related features into iOS. The previous three were: manual phone number and email address blocking in iOS 7 for voice calls, SMS, iMessages, and FaceTime; iMessage filtering for senders outside your Contacts in iOS 8; and call blocking and identification in iOS 10.
In this go-round, Apple isn't disguising the fact that it is trusting third parties with the option to offload and process what could be highly personal information. When the feature is turned on, iOS puts an unusual second hurdle in the way. It notes that SMS or MMS (multimedia messages) could contain sensitive information, confirmation codes for logins to bank accounts, and the like. You have to tap Enable to proceed.
Apple has put safeguards in place, but those squeamish about where their information winds up might prefer spam to filtering. And apps can choose to process everything locally, too, reducing concerns.
How SMS filtering works
With a third-party filter installed, iMessage filtering for unknown senders (an iOS 11 option found in Settings > Messages > Unknown & Spam), creates two tabs in Messages if enabled. A left tab shows Contacts & SMS; a right tab shows Unknown Senders. All SMSes remained in the left tab.
SMS filtering modifies that right tab when an applicable app is installed and the feature is enabled in the same setting area as iMessage filtering. The tab changes to read Unknown & Spam with both settings enabled, or SMS Junk with just text-message filtering.
Apple announced this feature at its WWDC conference in June, although it received little attention. In a presentation, the company explained to developers that iOS doesn’t pass the recipient’s phone number or any personally identifying information to the app, only the sender’s phone number (as identified by Caller ID) or email and the message text.
iOS doesn’t pass messages for filtering from phone numbers or email address in Contacts. It also stops filtering messages when you reply to the sender three times, as it assumes that is then a known and desired other party.
The app can opt to process entirely on the phone, using rules and downloaded databases. That’s similar to call blocking, in which Apple requires apps to have downloaded matching rules loaded by iOS, but Apple puts no constraints on how the app processes the text messages. iMessages remain transmitted only through end-to-end encrypted and on-device, and aren’t passed through.
But Apple also lets developers transfer the data off device. This changes the equation.
Deanonymization and targeted attacks
The company emphasized in its WWDC presentation that it designed in a number of safeguards. Developers must specify a fixed URL that can’t have any variables passed, preventing an app from intentionally or inadvertently passing data that identifies a user. It must also use a secure connection, which provides end-to-end protection.
Nonetheless, enormous amounts of privacy research have shown that seemingly anonymized information can be associated with great reliability when enough information is captured. In this case, web servers would know the originating IP address and other technical data for the inbound request, even though Apple said no cookies would be accepted or passed.
A simple approach would have an attacker who has broken through the security of an SMS-filtering company send an intentionally spam-laden messages to a target phone number to see if the user were employing the service. The attacker would then be able see whether a message corresponding to the number they used arrived (forget the text, even), and use that information combined with other private data. That could include passwords revealed in one of the many large breaches in recent years.
This would let them attempt to hijack accounts from users even if they had second-factor authentication via SMS enabled. The could even attack accounts where they only had an email address, as some sites will text a temporary password or password-reset link to a previously confirmed phone number. These kinds of automated messages typically use numbers that aren’t in someone’s Contacts list and are never replied to, making them likely to pass through SMS filtering.
Apple’s presentation doesn’t note whether companies that provide filtering have to delete messages after receiving them or encrypt the messages at rest, nor how that would be audited. Companies could by design or by accident accumulate a large database of messages associated with senders and additional other information. (Hiya says it doesn’t retain the messages.)
The off-device filtering feature relies on good actors with good security. Even asserting that no developer would pass through who had bad intent—an impossible statement, but this isn’t a knock on Hiya—the best security can still fail for unforeseeable circumstances, such as a zero-day exploit that allows an attacker to insert themselves into a system or carry away massive amounts of data.
You have to weigh the benefit of filtering messages from unknown parties against the risk that a breach in the filtering company could wind up rebounding onto you. For those with a massive spam or abuse problem, it might be worth it.