In the Messaging App > Settings > Advanced > Auto-retrieve can there be an option to only allow auto-retrieve messages if they are from someone in the contacts list?
That would offer the security of what is already offered but with effectively a white-list for those in your contacts list.

Keep up the GREAT work! I am thrilled that GrapheneOS even exists.

    treequell We live in dark times.

    SMS & MMS really are insecure. Apple proposes everybody buy an iPhone. Google proposes everybody use RCS (esp. their code & their infrastructure). Carriers are not eager to deploy a new complicated thing to increase security & privacy. Various secure-messaging apps want you to convince your family, friends, and business contacts to sign up with them.

    Given that mess it doesn't seem like Google's AOSP project or GrapheneOS is eager to upgrade the AOSP SMS/MMS app.

    Some people use QKSMS.

    treequell

    There is often no choice to use alternatives to SMS. We cannot pretend to tell other people what to use.

    I think there is a general consensus that anyone with any sense uses Signal, or equivalent, for their texting.

    treequell If you want to message somebody securely, use Signal.

    No, if you want to message somebody securely, use a PRIVATE SERVER that doesn't involve some party you don't know and can't control.

    I don't know why this thread is getting into a meta-debate on Signal. Please focus on the OP.

    But I want to address what @csis01 said to say that the entire point of an end-to-end encrypted messaging app like Signal means that you don't need to trust the server to not look at the messages.

      matchboxbananasynergy
      1) Assuming that its actually end-to-end in the CLOSED implementation that you install from whatever store (you can't tell what changes they make between the released source code and what they actually deliver).
      2) Minus whatever other details can be determined by the server, such as the fact that a message was routed between you and some specific other individual, what TIME that message was delivered, whether it was replied to, etc.

      EVEN WITH end-to-end encryption, there is a TON of data still available to collect.

        csis01 1) Assuming that its actually end-to-end in the CLOSED implementation that you install from whatever store (you can't tell what changes they make between the released source code and what they actually deliver).

        I'm fairly certain that Signal supports reproducible builds, as does Molly, the security-hardened Signal fork.

        This is starting to sound like FUD, and is also off-topic here.

        Sorry for the confusion, that's on me. In my latest company security training, they were talking about hackers using the auto-retrieve to download malicious code to a phone even if you don't open the message (i.e. Pegasus etc). I was thinking that offering a switch to cut off any auto-retrieve not coming from friendlies would be an easyish way to help with that.

        I should have clarified better. My apologies.

          octopod

          Thanks for the clarification.
          Any mention of signal or other end to end encrypted apps are completely off topic here.

          You are absolutely correct to be concerned. SMS is built in to every phone and mobile carrier. It's vulnerabilities will exist regardless of whether we have encrypted messaging apps for friends and family.

          I don't think there is a way to prevent auto retrieve. I believe the way the SMS are handled, means each message is processed in whole. I don't think the header information is retrieved separately first. Which means logic cannot be applied to determine if the payload will be retrieved or not. MMS I think can prevent downloading media. But the SMS exploits you're talking about, would still be retrieved.

          Maybe with a mobile router you could be more secure because sms would be received by the router and not your mobile phone.

            netw0rk

            SMS does not travel over data / internet networks.
            The mobile carriers have a different type of network for voice and SMS.

              Blastoidea

              Staying away is not an option. SMS is like postal service. It comes with your phone/address. You are receiving whether you acknowledge it or not.
              Junk mail, spam, whatever. You can try to opt out but marketers have to comply. You don't really have control.

              The vulnerability remains in the phone even if you block numbers on the device. That's the OP's concern, that phones receive SMS unless blocked by the carrier.
              It isn't helpful to just dismiss the reality that SMS isn't a choice.

                I've disabled the stock messaging app and disabled 2g, enforced LTE only. But that's all on the OS level. I'm sure my sim is still receiving messages from my carrier, I'm just not getting the notifications anymore.

                • [deleted]

                Correction, still receiving SMS (in flight mode). Please disregard my previous post.

                Graphite yeah, sure. But my mobile router has a web interface where I can read and write sms