Auto download MMS (AOSP Messaging)

flighty_sloth

I noticed the default setting is to auto download MMS. I'm curious if this realistically opens much attack surface (ex: "malicious" image file), and once you receive the message would it make any difference if you click the image within the messaging app? Or would the damage already be done once the message is received?

de0u

flighty_sloth I noticed the default setting is to auto download MMS. I'm curious if this realistically opens much attack surface (ex: "malicious" image file), and once you receive the message would it make any difference if you click the image within the messaging app?

It depends on which hypothetical bug would be exploited. If the bug were in image display, displaying the image might be necessary; if the bug were in header parsing, maybe not.

I'd say that in theory disabling MMS auto-download would reduce attack surface a bit, and might make sense for somebody who largely does not use MMS.

Note that iOS likes to display incoming messages on the lock screen. This means more bugs become "zero-click".

flighty_sloth

Just to add: I don't really use SMS/MMS, but do have a SIM so l sometimes notice spam come in and that's raised this question for me.

flighty_sloth

bump

DeletedUser115

Disabling auto-downloading MMS reduces attack surface because rich media won't be parsed.

I have it disabled. On a rare occasion when I receive an MMS, and it's from a known person and somewhat expected / makes sense, then I download it manually.