Another day, another Android story. For a change, though, this time it’s not to report on a security threat like the Google Camera app vulnerability; quite the opposite in fact. Google has just confirmed that it is rolling out a significant update to the Messages SMS app that has been downloaded more than 1.5 billion times and is used for text messaging by hundreds of millions of Android users. Here’s everything you need to know.
How is Google making text messaging safer?
In an official announcement published on December 12, Google confirmed that with immediate effect, it is rolling out an update to make SMS safer for Android users. This comes hot on the heels of warnings that another planned change to Android messaging, the adoption of the Rich Communication Services (RCS) platform, will expose users to hacking. The confirmation by Roma Slyusarchuk, a Google software engineer, has nothing to do with RCS. Instead, it has everything to do with the Messages app that Slyusarchuk works on.
“SMS messages help businesses share useful information with consumers, things like one-time passwords, account alerts or appointment confirmations,” Slyusarchuk said, “yet sometimes it can be difficult to trust the identity of these messages.” The new update aims to help confirm the identity of the sender, even when sent from random numbers and without sending your messages to Google. The “Verified SMS” update has already started rolling out to Android users in the U.S., U.K., Brazil, Canada, France, India, Mexico, the Philippines and Spain.
Why do we need Verified SMS for Android text messages?
It’s that trust thing. Threat actors of all shades, from scammers to hackers, use misplaced trust in brand reputation to fool people into handing over personal information or clicking malicious links in SMS texts. It’s social engineering via text message, and it is way more common than you probably think. While we have become wary of the email threat thanks to many years of awareness initiatives, SMS is all too often regarded as safe when, in fact, it’s just as dangerous. Especially when it is used by services to send two-factor codes, security alerts and so on. That’s the problem that Verified SMS hopes to help solve. Assuming you are one of the hundreds of millions of Android users that rely upon the Messages app as your testing default, that is.
How does Google’s Verified SMS update work?
Verified SMS works by, as the name suggests, confirming individual messages for sender authenticity. It’s a badge of trust on a per-message basis. “When a message is verified,” Slyusarchuk said, “you’ll see the business name and logo as well as a verification badge in the message thread.” Beyond that sparse information, however, we have no actual technical data regarding the mechanics of making this thing work. We have to trust Google that it will. This is somewhat ironic given that Verified SMS is all about leveraging trust itself.
It’s important to note that Verified SMS will only apply to text messages sent by businesses, not individual users. And then only those businesses that sign up to the scheme. It’s a good thing, and a move in the right direction as far as Android security is concerned. It won’t, however, prevent critical Android vulnerabilities such as the one that allowed an attacker to carry out a permanent denial of service exploit using a specially-crafted text message. Unless it has been sent by someone impersonating a business brand enrolled in the Verified SMS scheme, something that threat actors will quickly work around when developing exploit distribution strategies.
The security expert view on Verified SMS for 2FA codes
I spoke to Jake Moore, a cybersecurity expert at security vendor ESET, about the impact that Verified SMS might have on the pressing problem of providing 2FA codes via text message. “This seems like a good idea on the face of it,” Moore says, “but it’s still not foolproof by any means.” That said, Moore does agree it is a worthy attempt by Google to make people more security conscious. However, he also says that “ideally Google would bypass SMS altogether and direct people to use their authenticator app by default,” and for very good reason. It is thought that the YouTube influencer account hacking and takeover exploits earlier this year were made possible, to some degree at least, by SMS 2FA code interception. And then there’s the SIM swapping issue. “Sim swapping has become a massive problem for targeted victims,” Moore says, “a verified SMS service would still not overcome this threat.” Device-based 2FA via Google Authenticator, or other apps such as Authy, is far more secure and recommended where it is an option.