Mobile programming: how secure is SMS - mobile

I am currently developing a web service that is configured to receive SMS text messages from different cell phones. Along with each message I also get the mobile number from which the SMS originated.
My question is it possible for someone to masquerade as a different phone number. That is it possible to send a SMS from phone (or other means) and make it look as if it came from a particular number?
I have read of SMS spoofing where it is possible to receive SMS intended for other numbers but I want to know if it is possible to send posing as someone else (send from phone or a web app etc).

Spoofing is pretty trivial with the right setup. For example, we send large numbers of SMS using a 3rd-party aggregator service, and each SMS has an "originator" field, which can be a phone number (specifically, a MSISDN), or a text value. We could, if we wanted, put anyone's number in there.
SMS is extremely insecure. It was designed as a back-channel for GSM engineers to test their networks, and turned out to be a nice revenue spinner, so they just left it as it is.
That's not to say you shouldn't send sensitive information over SMS, just be aware of the insecurity, and trust (or don't trust) messages accordingly. No channel is 100% secure, you need to decide if it's secure enough for what you want to send over it.

As I can send via GMX Webinterface - with my Phone number as Sender, I conclude that it is indeed possible.

Related

HLR LOOKUP service building

Newbie here. Can someone teach me like im 6 years old?
How can I do my own hlr lookup without paying a companies?
I see some people send some company links who offer hlr lookup.Thats not what I'm looking for...
I made some research and couldn't find much about how can I build a hot lookup.
Any help would be great.
Hi sdaassadasdasd asdasdsad,
TL;DR you can't perform your own free HLR lookup against telephone numbers on the public telephone service (formally called the PSTN), which is why you can find online providers who provide it as a paid service. There is always a charge, even to the HLR lookup providers.
It also depends what do you want to achieve. A HLR Lookup will let you know if a mobile phone number is assigned to a subscriber of a mobile network operator (MNO), and which MNO it is assigned to.
HLR lookups don't provide location (aside from some rudimentary country-wide location based on the Mobile Switching Centre that the telephone handset is being controlled from). They also don't usually provide an IMSI if that's what you are looking for, because these days most MNOs will implement home-routing which gives a temporary IMSI matched on their router so that they can conceal the real IMSI (to avoid fraud).
So, if you do want to perform a HLR lookup to check if a mobile phone number is "real" and assigned to a subscriber on a public network then I'm presuming you want to send a HLR request to query an external MNO - i.e. a public telephone number, not a local one running on your own equipment.
To query an external MNO then you will need to send a request, usually over the SS7 network, to the mobile network operator who was originally assigned the telephone number you want to know about. Eventually, if you have done everything correctly and the MNO wants to respond, you receive a response back which gives you the details you need to then ascertain if the telephone number is assigned to a subscriber, and if the subscriber is active on the network or not.
To send the HLR request, without going through an online provider, you will need at least:
equipment that talks the SS7 protocol (specifically to include MAP requests because a HLR is a type of MAP request)
somewhere to host your equipment
an SS7 interconnection from an SS7 backbone provider
point codes allocated from the SS7 backbone provider
someone to setup program the equipment
your own telephone prefix range for the far-end MNO to be able to respond back to your original request. You may be able to lease someone else's telephone number range if you don't have your own.
Once everything is setup then there's an additional per MSU (message signalling unit) cost. You can think of an MSU a bit like an IP packet, you send "one" and you get a response. You are charged by the SS7 backbone provider for every MSU you send that transits their network, regardless of if you get a response back from the MNO you want the message forwarded to.
I'm happy to answer any other questions on it, but I can't think of a way you can perform your own HLR lookup without incurring charges somewhere along the line.

Benchmarking with Mobile Data Connection

I have a benchmarking situation that requires some advise.
This is basically a scenario.
I typically use Jmeter to benchmark web page loads.
However in this case, I intend to benchmark an URL that will make some API calls. Basically I'm interested to see the response time of each API call.
The tricky part is that one of the API calls requires a mobile data connection (3G/4G) because the connection will be redirected to carriers to identify which carrier the mobile phone number belongs to. If every carrier does not recognize the mobile phone number, the API call will fail.
I did a manual benchmark(with Jmeter) by connecting my machine to a tethered mobile phone. This worked, however, I find it impractical to have a machine to wirelessly connect to a mobile phone just to run benchmarks. I cannot imagine putting a mobile phone (for every carrier) in a server room.
Does anyone have any idea or any experience in benchmarking an API that requires 3g/4g connection? Are there any tools out there?
I tried googling around, but, did not come out with anything useful.
Any advise is appreciated.

How to programmatically send text message notifications without knowing provider?

Many banks, airlines, etc. offer the possibility to receive text message notifications by entering your mobile number. Some other sites have you enter your mobile number and wireless carrier and send messages to your free per-provider email-to-mobile number. But some people definitely do it without asking for the provider. How is this accomplished? Are there commercial services that provide this functionality?
(if this doesn't belong on SO, feel free to migrate to another SE site)
Edit: I'm primarily concerned with mobile numbers in the US, but interested in answers for other countries as well.
Yep, providers of this service are called SMS gateways, good ones should be able to set you up with an API for bi-directional use
There are a few different ways this can happen. If you have access to cellular hardware, like Multitech's MTC-H5 cellular modem or their rCell 100 cellular gateway, you're sending SMS just like a cell phone does, so this bypasses the need to know the carrier of the phone number. If the program you're using can't directly access the hardware, you could try to use a program like ours, PageGate, to receiving alerting notifications from that program to interface with the hardware to deliver the SMS.
There are also message aggregators, companies who provide a web API that allows you to send SMS. You submit the phone number with message to their API, they handle the delivery. Examples of these companies would be Infobip and Clickatell or if you're looking for something for medical markets, you could try TigerText, or for emergency management, you could try Active911 or I Am Responding.

Testing SMS Short Codes

I've got an application that sits behind a US based SMS Short Code. I can test my application from the point of ingress into our systems to the point of egress and am confident about the functionality within those boundaries.
What I want to be able to do is extend the test to include the SMS Aggregator that is handling our short code. I want a service provider that will allow me to send and SMS via an API to a short code. We're working with 2 different SMS aggregators (a Tier1 and a Tier3) and both api's only allow SMS messages to be sent to long codes (10 digit numbers). I've also tried Tiwlio's SMS API, but they also do not allow SMS messages to be sent to a short code.
Can anyone recommend a service, hardware device, or other solution that would allow us to message a short code so that we can automate testing and monitoring of our short code based applications?
Thanks,
Kyle
This is probably disallowed by the aggregators due to difficulty in determining what short codes incur premium charges for MT messages.
Given that you can send to a shortcode from any GSM modem/handset with a valid SIM, why not interface with one of those and use the AT command set to send your test messages?

Communicating location between mobile devices

I am just brainstorming here. Let's say I have 2 mobile devices, iPhone, Android, WinPhone7, BlackBerry, Palm, whatever. I'd like to communicate my location (latitude/longitude) from my device to another one. What is the best way of doing this?
The assumption that each device has either built-in mapping capabilities or a custom-built native app.
I've thrown around ideas like SMS/MMS or email with links embedded in them. However, they all seem to be cludgy.
Any other ideas?
A web service (or, if you must and don't care about security, Twitter) that each phone could poll for changes to location might work out. The web service would have to accept the coordinates, obviously, plus be able to be polled for updates by each device. Security is obviously a concern, but that might be another way to go provided that each device had a custom app to accomplish this task as well as web access to poll for changes.
I would go for SMS. It is guaranteed to be private, reliable, low-cost and easy on battery.
Web service is also an option, however:
privacy is a concern, as the data will leave mobile operator internal network
reliability - well, you would have to build your own messaging system and that can always fail
end-user cost - in order to access web service, end-user would have to activate a data session and constant polling can be a source of significant traffic.
development cost - you would need to develop that web service
battery life - constant polling over the data connection will have an effect on the battery.
Compare that with SMS:
privacy - SMS never leaves operator network, so it is guaranteed to be as private as your phone calls are.
reliability - SMS center is guaranteed to always be there by your mobile operator to accept your messages
end-user cost - in most networks, SMS cost is negligible
development cost - well, as SMS center is already there, you can use it without any additional effort from your side (excluding your soft that needs to send and receive those SMSs)
battery life - no adverse effect on battery
In any case, both devices still have to have a "mapping app" that you can program to interface with the SMS/web-service data.

Resources