[diydsp]

how is this generally possible? In my simplified understanding, a text message is a hunk of data, but I know it's more complex than that.... it must be able to connect to all kinds of services and trigger all kinds of code running, right? Can't it be sanity checked sufficiently?

[saiya-jin]

Even if it would be a simple text message (which its not for iphone), it triggers a text parser at minimum. That parser can have carious bugs in it, ie if parser checks phone contacts to highlight phone number in text as a known contact, identifies some weblink etc.

To sum it up to have it as fancy as possible to users it checks various things and needs permissions for that. Enough 0days in the chain and you can do whatever you need.

This is the problem of closed systems, you have to trust manufacturer 100%, there is no independent audit possible. And if you ever did any serious code before, you know by heart that any code has bugs, in the code, in platform/VM it runs, apis etc.

[mrandish]

Apparently, it uses iMessage's proprietary messaging format, not standard text messages. I don't use iOS but my understanding is users can't replace iMessage with another messaging app.

[Traubenfuchs]

> my understanding is users can't replace iMessage with another messaging app.

To be precise there is one "Messaging" app, that automagically uses iMessage (blue bubbles) instead of SMS (green bubbles) whenever possible. One can turn off iMessage in the settings, which will probably lead to your iPhone rejecting iMessages, making other iPhones only send SMS to you and also make your iPhone only send SMS. Whether that toggle prevents receiving and processing of malicious, invisible iMessages is an entirely different question.