
A bug in Samsung’s default texting app is sending random pics to other people - ilarum
https://gizmodo.com/a-bug-in-samsungs-default-texting-app-is-sending-random-1827291759
======
foobaw
I've been in the OEM industry for years and can't believe this happened in
production.

For something like texting/RCS, there are thousands of phones being tested
thousands of time by thousands of people with multiple additional checkpoints
(ODM, Google, Carriers). It's a core functionality so it's extremely tightly
verified.

RCS was first implemented about three years ago for phones so it's shocking
that this kind of bug happened now. I also worked on the initial
infrastructure for this so I can't imagine how this bug was even introduced.
My bet goes to it being a server-side issue, especially since it's carrier-
specific, and not a software bug.

~~~
exikyut
This is the first time I'm hearing about RCS at all. I know SMS is ancient,
but I had no idea it had been superceded like this. (Probably because I've
never had a smartphone - they're a bit beyond my budget.)

I (very vaguely) know that SMS works on top of SS7. I just checked out
[https://en.wikipedia.org/wiki/Rich_Communication_Services](https://en.wikipedia.org/wiki/Rich_Communication_Services),
which was interesting but doesn't have that many technical details.

I'm very curious to understand how RCS works technically. I get the impression
it can work over IP as well as carrier-integrated data transfer?

~~~
bambamboom
What do you do? There are (were) wonderfully fast windows phones for for $20

~~~
exikyut
Appreciate it hugely. It's actually the data costs that are prohibitive - I've
only just started looking around, but my first quote is $39 for 2GB and 500
free minutes ($1/min after that) from Telstra, Australia's juggernaut.

I did recently think I critically needed to stay in touch (this is why I have
the numbers above), but that requirement seems to have settled a little, which
is why I'm less motivated to get on the merry-go-round of plan-hunting now.
Chances are prepaid is probably what I'll end up doing ("yeah this is my
number this week", here we come, lol).

What I _really_ want is an IoT/M2M contract, but I have no idea how to look
for those :D

Oh - as for what I do, currently working on kickstarting that :) this sums up
the difficulty FWIW:
[https://news.ycombinator.com/item?id=15004608#15005811](https://news.ycombinator.com/item?id=15004608#15005811)
(I'm working on it, it's fine)

------
ChuckMcM
Maybe its Google's answer to SnapChat, call it SnapRoulette :-)

But more seriously the messaging story on Android is abysmally broken. There
are SMS messages, vendor wrapped SMS/MMS messaging, Google flavored chat apps
that sometimes map to SMS/MMS and sometimes to some Google protocol.

Combine that with an insane permission model that basically wants you to hand
over access to all your SMS/MMS rights for applications that deal with photos
and I wouldn't put it past being a bit of malware in some photo client.

~~~
vbezhenar
But I would say that I hate that iOS apps can't access my SMS messages. I've
typed thousands of "pin codes" from SMS and I can't have auto-transactions in
my budget app from bank SMS notifications. While I don't like an idea about
allowing every app to access SMS messages, I'm fine to allow some apps to
access all SMS messages and temporary allow app to access all new SMS
messages.

~~~
ChuckMcM
I would be happy if I went to add a photo to a text message and it said,
"Allow Messages to access photos just this one time?" and I confirmed it. And
then it turned off permission again after the message was composed.

What I don't like is when you get an app like "SuperPhotoStickers!"[1] which
allegedly lets you take a picture, put stickers on it, and text it to a
friend. Asks for permission to access texts all the time, and has a service
that runs all the time, and later you find your phone has been sending photos
and/or texts to a third party without you knowing about it. That is what I
mean it is a broken permission system.

In a sane world you would be able to say "only access pictures taken with the
App" and only access the text subsystem (SMS/MMS) only when "the App is open
and the UI is on the screen in front of me."

[1] Example name, not a real app as far as I can tell.

~~~
andromeduck
something like for this session like how sudo works would work pretty well too

------
examancer
This story is very thin on details, but with the abysmal quality level of most
Samsung software it is 100% believable.

~~~
paulie_a
Absolutely agreed. Great hardware that Samsung took a huge dump on with
inferior replacement apps. Why do they even bother to develop worse versions
of things built into Android? After my s8 issues and my randomly rebooting
refrigerator, Samsung has lost me as a customer.

~~~
flyinghamster
> randomly rebooting refrigerator

Call me old-fashioned, but a refrigerator should never have to reboot. ;-) A
microcontroller running drop-dead-simple firmware is OK, but if it ever has to
reboot for any reason save power outages, they've failed.

I'll certainly agree on Samsung's software (at least the sort of things users
directly interact with) being a vortex of suck, though. Back when I used a
Galaxy S Relay "4G" (the "4G" in quotes because they were calling DC-HSPA+
"4G"), I found the phone to be much better after I installed CyanogenMod.

Too bad CyanogenMod imploded, and worse, there's no LineageOS for that old
handset, which was one of the last good slider phones.

To be fair to Samsung, I have no complaints about their SSD firmware, but I'll
stay away from their cell phones.

~~~
squirrelicus
The value proposition of IoT is so bad. Maybe I'm old fashioned too, but I
prefer things that work and can be repaired by third parties when they don't.

------
hbcondo714
> go into your phone’s app settings and revoke Samsung Messages’ ability to
> access storage. Until a real solution is released, this will prevent
> Messages from sending photos or anything else stored on your device, whether
> you want it to or not.

I tried this but now when I launch the Samsung messages app, it asks me
permission to access the phone's storage. When I click 'deny', the app closes
so I can't access my messages with this "solution"

~~~
tuxracer
They seem to have the advice slightly mixed up. It's not "revoke Samsung
Messages storage permissions OR switch to another SMS app" it should be
"revoke Samsumg Messages storage permissions AND switch to another SMS app"

Highly recommend [https://www.signal.org/](https://www.signal.org/) which on
Android can act as your normal SMS client (as an added bonus if your contact
also uses Signal there are some security enhancements)

~~~
hbcondo714
Thank you; just made the permission change & made Signal my default SMS app.
If it's good enough for Edward Snowden, it's good enough for me.

------
reustle
I'm not surprised. Semi related, my S8 often never saves photos that I take.
It's a very common problem they have yet to acknowledge.

[https://www.reddit.com/r/GalaxyS8/comments/7kc8wj/photos_not...](https://www.reddit.com/r/GalaxyS8/comments/7kc8wj/photos_not_saving/)

------
universenz
I bet you it's Bixby getting revenge.

~~~
paulie_a
I swear the last software update on my s8 made that button more sensitive just
to annoy me into using that garbage.

------
throw7
Good job samsung. This is probably related to their rollout of rcs on
T-mobile, especially as this only affects samsung's texting app and not
android messages... which is absolutely maddening as the point of rcs UP is to
use whater rcs UP client you want. -.- freakin' telecoms.

------
hbcondo714
> switch to a different texting app like Android Messages or Textra

Great, I just got a Galaxy S9 after being a longtime iPhone user. What are
HN's experiences with these messaging apps?

~~~
tootie
They're all exactly the same and haven't changed appreciably in 10 years.

~~~
Izkata
I just upgraded from an 8-year-old Samsung Galaxy S (jumping from Android 2.1
to 7), there's been a lot. Off the top of my head:

* The difference between SMS and MMS is much more hidden from users

* Group messages (where everyone is communicating with everyone in the same conversation, _not_ a mass-text)

* Not only did stickers not exist, _graphical emoji_ didn't exist except in third-party messaging apps

* More web integration, like being able to search for an image and send that

* Google Pay integration, apparently I can send and request money

------
kulu2002
Ridiculous!! Hey but I am still using Nokia Lumia ... already a dead product.
Windows 8.1's default SMS app for mobile doesn't access gallery or any other
thing.

------
lxe
The article was deleted. What happened? Here's a "mirror":
[https://www.gizmodo.com.au/2018/07/a-bug-in-samsungs-
default...](https://www.gizmodo.com.au/2018/07/a-bug-in-samsungs-default-
texting-app-is-sending-random-pics-to-other-people/)

~~~
lxe
I guess it's undeleted now

------
ben_utzer
The article is wrong. You can't disable its permission. The App won't work.

------
mindslight
It seems like this is better described as "phones running Samsung's software",
lest we further normalize this locked black box culture.

edit: this post now links to a different site with a better title.

~~~
ravenstine
Samsung's software makes their otherwise good phones markedly terrible. My
Galaxy S5 got so slow at one point that I was planning on getting a new phone
and thought "what the hell, I'll try to root this one and if I brick it then
nothing of value was lost." It's a good thing I did successfully root it
because I removed all the Samsung garbage and it continues to run
exceptionally well! Sure, disk space probably played a role, but I noticed
that their keyboard had a large part to do with the slowness. After replacing
it with AnySoftKeyboard, it's run as smooth as butter.

EDIT: Another pro-tip I have for anyone with an Android phone is to ditch
Google for DuckDuckGo, not only for privacy but because it simply outperforms
Google's UI responsiveness by lightyears.

~~~
navjack27
Replace Google for duckduckgo? UI responsiveness? Using anysoftkeyboard?

It's an S5... And old... That's the problem.

~~~
larkeith
Components do not degrade significantly in the lifespan of a phone. Websites
are generally no more intensive than when the S5 came out, and there's no
reason for apps to be either. "It's old" is a worthless excuse for poor
software design - as evidenced by the fact that using FOSS restores full
performance.

------
duxup
I kinda like the idea of getting random pics from people....

------
kbumsik
Is this really a bug? Look at this:

> Samsung Messages sent out their entire photo gallery to a contact in the
> middle of the night.

Is it really possible to make this by mistake? Sounds like Samsung
deliberately made a backdoor that sends the whole gallery to "someone". Their
"bug" might be sending to unintended person.

~~~
gdulli
Are you legit suggesting that Samsung intentionally created a feature to send
themselves (or "the government") the entire camera rolls of their customers'
phones, and simply got the destination wrong?

~~~
kodablah
Or maybe more plausibly, they do have export code in there for any number of
reasons including debugging, and they left it in there and are triggering it
by accident. GP is likely just suggesting that it's quite amazing that a
single little bug can do all of these steps as opposed to intentional code
executed unintentionally.

