| MMS Misbehavour? |  Search
|
|
NowSMS Support Forums ⬆ NowSMS Support - MMS & Advanced Issues ⬆ Archive through June 06, 2005 ⬆ |
◄ ► |
| Author | Message | |||
| David Chkhartishvili New member Username: Datoch Post Number: 31 Registered: 06-2004 |
Hi Bryce, Here we discovered problem when it's possible to download mms using foreign SIM card: We sent message to phone (using SIM card 1). Phone got MMS notification. Before phone started to download MMS message, we switched off phone and put in SIM card 2. We were able to download MMS message sent for SIM card 1 using SIM card 2. Seems like MMSC doesn't check for MSISDN header when phone tries to download message. Please clarify is it default behavour or it is a bug. | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 4562 Registered: 10-2002 |
Hi David, All of the validation is contained in the URL contained in the MMS notification. This was originally done by design, because of the fact that when you send a message, you might be sending to a phone number in a local format or an international format. And we couldn't guarantee that the address in the MSISDN header was going to be a perfect match for the originally addressed recipient. However, since that time, things have changed, and we do fully qualify the phone numbers (provided that you have the MSISDNHeaderDefaultCountryCode setting present, and in some cases the MSISDNHeaderLocalPrefix ... as well as some specialty settings like LocalNumberPrefix/LocalNumberMaxLength which are used for situations where a provider serves a particular city code within a country code, such as island operators ... and DN code settings for handling some ideosyncracies of phone number formats in some parts of South America ... prefix conversion settings that are sometimes needed for translating from national format to international format ... etc ... I really need to update http://www.nowsms.com/support/bulletins/tb-nowsms-002.htm as there are so many additional settings). I rambled a bit there, but basically the net of it is that because we convert all recipient addresses to international format, it is not unreasonable for us to now add receiver validation based upon MSISDN authentication. I personally don't think that lack of this authentication is a big problem if your MMSC is only accessible through direct data connections to your network. The URL IDs vary sufficiently that it would be very time consuming and data intensive to guess at URLs. And the scenario where a SIM card is swapped like you describe is not a direct cause of concern (after all, if the SIM card was swapped like this, the user could also read all messages that had been previously downloaded to the phone). Nonetheless, we do consider this to be a serious issue. If we can lock this down to prevent any possibility of unauthorised message downloads, then I believe that we should. We are posting an update to address this issue, and this will be included in future updates. The update currently identifies itself as v5.51b (20050523). There is a ZIP for this update, which can be applied to any v5.51 (or v5.51a/b) installations, available for download at http://www.nowsms.com/download/latestpatch.zip. -bn | |||
