Slightly off-topic, but has anyone managed to automate receiving and replying to so-called "flash SMS" or "Class 0 SMS"?
In Norway, there is a thing called "BankID on mobile", which is used for 2FA by government services, along with any companies requiring authentication with person's ID. Examples: banking, insurance, health and vehicle registration: you initiate a log in using either your personal ID or a combo of phone number+birthdate, and you receive this interactive, full-screen flash SMS asking you to ensure that a certain word combo matches, and to confirm the action with your PIN. To be clear, the interactive part does not come with some app, but it's a feature built into most smartphones.
This thing drives me nuts when traveling: it is slow when abroad and costs money. What's worse, is that it only works with a physical SIM, so I can't easily use a local SIM abroad. There is an alternative way of authenticating using a code-generating unit, but it is not perfect - you can only have one of them at a time, they're really fragile and non-waterproof.
What I'd like would be to leave my SIM at home, preferable inside of a hardware SIP gateway from Aliexpress, and proxy those prompts through a Telegram bot.
There appear to be a couple online services that will let you send Flash SMS (Type 0) but Twilio is not one of them.
Edit: The terminology is confusing! I wrote “type 0” above when in fact it’s a “class 0” sms. Type 0 means a silent SMS, Class 0 means an SMS that’s display-only and not stored. See also https://www.contextis.com/en/blog/binary-sms-the-old-backdoo... for a brief overview, though I’m sure there are other, better sources.
Wallet/Banking apps in India incl. Google Pay requires the mobile number on the phone to match the bank records due to central bank regulations, I assume IMEI verification happens behind the scenes with direct telecom API.
Wallet apps sends outgoing SMS randomly to verify this. Suddenly my wallet apps stopped functioning as SMS couldn't be sent and I presumed I had messed up with telephony services with some security settings and was searching radio logs to find the culprit where I found that SMS validity was nil.
Searching further I found that our telecom oligopoly (soon to be duopoly) decided to remove outgoing SMS from low-tier plans. I don't do real-time communication, telephony services are only useful to me for receiving the 2FA OTP and so I had low tier plans. Goodbye wallet apps.
I believe I have used some in the past. Possibly via http://fortytwo.com in an earlier incarnation (way before twilio existed). You can ask around for 'raw SMS PDU' support. You can safely claim it is for 'custom character set' (non UCS-2) usage. This is reasonable to use for developing markets where local pre-unicode character sets allow greater information density in a single message.
IIRC you can grab inbound Flash SMS from at least some devices using AT commands the same way you'd grab regular SMS. They won't show up in native messaging apps, however.
Yeah, unfortunately I haven't been able to find any current providers that allow sending raw PDU packets. I'd love to get away from using dedicated hardware + local SIM card.
Some BankID providers lets you use a regular bespoke ios/android app as an online code generator. Then you only need regular internet access, for example over wifi.
> This is more advanced than just a flash sms. It is probably implemented as a SIM Toolkit App on the SIM card.
Yes. As I have understood it, it’s a Java applet that runs on the SIM card itself.
And it probably being more than just flash sms is also evident from the fact that not all telcos are supported for use with BankID, even among Norwegian telcos.
It’s also worth noting that many telcos will charge you every time you use BankID. This annoyed me a lot so I switched to a different telco that’s cheaper and doesn’t charge for BankID.
You might want to take a look at the BankID app, which doesn't depend on functionality in the SIM card. Link in Norwegian: https://www.bankid.no/privat/bankid-app/
If you get another bank to issue BankID to you, then you may be able to ask your current bank that you may log in using that BankID. And this way you may perhaps be able to use the app instead. Maybe.
This is based on a custom SIM application that does crypto. You cannot just reply to the flash SMS by your self.
It shouldn't cost you money abroad though, BankID Mobile is free on many networks but if you use a reseller like OneCall they are unable to differentiate SMS and BankID flash SMS so you will be charged for it.
You could use the BankID iOS app which does the authentication crypto in the iOS app instead of using the SIM app.
It is not regular SMS, it is PKI based with a custom SIM application that uses SMS (Flash). Intercepting these SMS would not help you (unless you have hacked their app). Also note that SIM app runs independently from the mobile OS.
Okay, then intercept them with an analog loophole.
Keep one cheap phone mounted with a camera and robot arm poker, build the API on that, then get an additional SIM for your normal actually mobile use. Or eschew the camera by using LineageOS (which can ignore anti-screenshot measures) and screenshot over ADB.
If you're in the US, it costs only $20/mo for an basic level Google Fi SIM (T-mo + Sprint network) or $25/mo for a Visible SIM (Verizon network), and they will be seen as an actually mobile number by the network. I imagine there are similarly cheap deals in most other countries as well.
That is weird. I also have BankID but I never got a fullscreen SMS. It just gives me a normal iOS app notification on the top, which I click on, and then the app opens.
Some BankID providers offer a regular bespoke ios/android app that replaces the physical dongle, which can operate in two modes, either by displaying the one-time code or by using the internet to autofill the code.
A flash SMS is kinda like a regular SMS (I remember receving them already on my Nokia 3310), and uses the same protocol. However, it will appear directly on the screen of the user and won't be saved in the received messages. You could also send one yourself, if you can send AT messages to your cell modem :)
iOS visuals have changed since 2012, but the process is the same in 2021: 1. full-screen message 2. another full-screen message with a numpad and buttons.
I'm surprised that this feature is not massively used to scam people. Is it because sending service SMS is restricted to certain parties?
I had once run a campaign where we had published a number, and we had to collect all responses to an advertisement sent to that number, to be pushed to a web system.
Didn't buy one of those phone numbers from an SMS API. Had good success with Tasker Android app.
(This was in 2012-13. Not sure if Tasker can do these things today what it could do in 2012, due to increased security limitations in Android)
Had a rule configured in Tasker to call a HTTP end point with the sender details. received timestamp and the text message content, whenever a message was received on the android phone.
Didn't have to write any code and could get it done in the Tasker app UI, as it had all the variables/tokens available and I just had to form the endpoint link to be pinged with those variables in the request.
A similar thing might be possible with Tasker or similar apps to do the other way round (ie, having the phone send an SMS via mobile network in response to a ping from another device on the wifi network)
Heh. That sounds very familiar. In my IT department, about the same time, we wanted MFA on our admin accounts for services and generally SMS was the only way to do it. But how do you SMS MFA for a team of 5 or 10 people? Well, we used an android phone velcro'd to the wall running tasker and some custom server side scripts.
Even though we could have used Twilio, we chose to do it this way because a lot of services filtered for VOIP numbers and refused to setup MFA on them. So we needed a real honest-to-god number which was extremely annoying.
I was just looking for something like this. My primary phone # is a Google Voice number. There are a hand full of providers that (1) only offer sms 2fa and (2) refuse to send sms messages to my Google Voice number (cough _Apple_). Basically every service that refuses to send to GV also refuse to send to Twilio numbers.
A programmable SMS gateway plus a cheap sms only sim card seems to be my best option. I was thinking about doing this with a usb 4g card, but this might be better.
Now I'd really love to see something like this that also supported programmable voice.
Many companies who do SMS for account verification check whether or not the number is hosted with a VoIP provider and purposefully do not send verification requests to those numbers. It's a fraud prevention tactic.
> Most likely they are sending SMS from a short-code - and a short-code cannot send SMS to a non mobile number.
Sure you can. We do it all the time at my job, for sending reminders of appointments and medication refill notices and such. We have test recipient numbers on all of the mobile networks and the big VoIP networks like Republic Wireless and Google Voice. I even have a test number from voip.ms on there.
The requirement is that the owning carrier of the number have a partnership with the short code provider platform. Twilio famously doesn't want to pay for that partnership. Bandwidth.com, that operates the bare metal of a lot of VoIP companies, does pay for it.
I agree. This is extremely frustrating. One work around I found, was to also use Google Fi. Then I would use my Google Fi number, which would route to Google Hangout. Then I could get the code from there.
However, Google just killed my Google Fi account because I'm abroad to much. So now I need a new workaround.
If you're in the US a lot this could work for you.
Yes. First they sent me an email, telling me if I don't go back to the US and continue using it from there, it would be suspended. Then a month later my service was killed.
Apparently, if I go back to the US and use it from there it will start working again.
Ironically, this happened weeks after I was using in the US for a month straight.
Yep, looks like you're on the nose about it costing too much to them:
> The Services are offered only to residents of the United States. The Services must be primarily used in the United States (territories not included) and are not intended for extended international use. Further, the Services are designed for use predominantly within our network. If your usage outside our network is excessive, abnormally high, or cause us to incur too much cost, we may, at our option and sole discretion, suspend your Google Fi account, terminate your service, or limit your use of roaming.
My guess is you're just not profitable enough for them, using data on different carriers around the world? Who knows, but it appears they're cracking down now on people like me.
> refuse to send sms messages to my Google Voice number
Try getting a Twilio number in another country where they can't tell. I won't say which one works for me publicly here in case there are employees of those companies lurking here.
I signed up for a new Apple account recently because I needed a developer account. As far as I could tell, it is no longer possible to sign up for an apple account without any 2fa.
It would be nice if it would integrate with a 3G/4G dongle. Huawei dongles (maybe ZTE as well?) already have an HTTP endpoint to get SMS and also their USB dongles have no battery, so it is much safer to leave it plugged into a wall 24/7 than a phone.
Most phones these days do have battery charging cut off, so they should be safe but still prefer to have one without battery for leaving it plugged in 24/7.
A simple PowerPoint timer set to be on 1 hour out of every 12 works pretty well to stop wall mounted iPads from doing that “swell up the battery until the screen pops out” thing.
I did this. Bought a Motorola RAZR on eBay, plugged into a FreeBSD box and called it a GSM modem. Since we were monitoring if the network was down among other things, the pages would go out through the "GSM modem" since the fiber connection couldn't be relied on to be up. Paid like $10/month for a text-only phone plan. Worked great. The USB connection to the FreeBSD server keep the "GSM modem" continuously charged as well.
Haven't looked into this in a long time, but every cell carrier used to have a gateway address where you could send an email, using the destination phone number as part of the address, and the gateway would dispatch an SMS with pretty much arbitrary envelope information. You just needed a list of active gateways. I think I even have some old php code lying around that I used to spoof my friends' phone numbers to each other and generate a text thread where one came out and said he'd left his wife because he was secretly in love with the other dude. I know, real mature use of technology.
Dunno how old you are but back in the analog cellphone days I had my mom's clunky old flip phone lying around, I was 14 or so and followed some instructions off a BBS. If you put a piece of tin foil between two of the battery contacts you could get the phone into debug mode and you could punch in any channel number and just listen in on it. I lived near a freeway, so I would spend hours in the backyard eavesdropping on people's conversations as they drove by and faded in and out of range. You had to be quiet, because if they were close enough to pick up your signal they could hear you too. Dudes arguing with their wives, drug deals, it was quite an education. The shortwave radio receiver my parents bought me as a birthday present gathered dust in the closet.
I used to use the radio to to pick up cordless phones (ie a normal phone with a base station, with the huge phones with big antennas), AM if I rememeber rightly, right towards one end of the dial
this kept me entertained for far too long for an 8-10 year old..
That is a life-changing hack right there! Reminds me of an old glitch I experienced in the early Nokias that allowed the receiver of a call to listen-in on the line before answering.
> Reminds me of an old glitch I experienced in the early Nokias that allowed the receiver of a call to listen-in on the line before answering.
Do you happen to remember the model of that Nokia? I had a guy in high school show this to me once, but nobody believed me when I told them! I knew I wasn't crazy haha
I used this back in the day when I had an iPhone 3G and no SMS plan. I used an app that allowed a text like interface for email and then created an apple script that went through my contacts to look up their carrier and add their gateway address to their contact card. Looked weird to them to see a text from vividsiphone@ymail.com, but it worked!
We use that gateway email address with our notification alert system at $WORK. Only problem is if our internet/ power goes down, no notifications will arrive to our devices either way (email or email-to-SMS).
I know someone who did and it worked for a while until the provider contacted them to ask about the unusually high activity. They explained the situation, but since their package was a B2C package and they were using it for their company, the provider told them to either stop doing it or switch to a B2B package. There was no unlimited text B2B package available at the time and all of them were quite a bit more expensive than B2C. The latter has changed since, but I'm not sure about the rest.
Standard SMS plans usually have a human-typing-in-a-keyboard rate limit, around a handful per minute - you can manually try this, I've got blocked a couple of times by spamming a friend with "a", "b", "c"...
Were I work, we've implemented a couple of nation-wide general population surveys regarding non-communicable diseases (working with those countries health authorities, of course). For the actual surveys, we get SMPP contracts with the local telcos because of this limit (and to get a vanity shortcode, reverse billing...).
We started thinking it would also be cheaper, too (due to the scale pricing) - but the human time required for working out contracts with developing-world telcos for a project involving state actors can easily counter that.
The throttling is something we need to take into account for the tiny-scale pre-tests we ran (while working out the contract) using an SMS Gateway App[0] we've built, similar to the one from this thread. The main difference is ours uses a queue-based protocol to exchange messages with a controlling server.
Yes, most ordinary service contracts are "unlimited" for personal use.
A "person" can't reasonably compose and send more than 3 or 4 messages per minute on average. Send "too many" as defined by the carrier and you will likely be cut off.
I once sent 10k sms messages per month for about a year before my plan got cancelled. The plan officially allowed for unlimited sms. It was about 50$ per month, which was much cheaper than 0.1$ per message at Twilio (in Europe).
I received the bill at the end of the month stating the timestamp and recipient of every message. The PDF was regularly around 100 pages long.
What does throttled mean in SMS context? I can see why internet would need to be throttled but SMS is very infrequent and low data for it to be required to be throttled.
Ok. I spent a lot of research doing this. You can use unlimited text plans and do quite well. Certain carriers will block you quicker than others. As long as you are sending out SMS with a link so you can monitor the click rate - then you can disable that device from sending. If you disable that device for a few hours the carriers will let you start sending again. There are carriers that do not require an id for pay as you go sim cards with cash. With android you can also read the messages to and even respond to STOPS or add response conversations. Verizon seemed to be the best.
I was able to beat twilio for mass sms in pricing - but due to the carriers blocking a high percentage %10+ it isn't a good solution for 2fa etc. I have built apple labs too. Apple imessage used to allow quite a few messages before a block - but now they just block the entire device not the sim making it useless.
I had the devices just use a get request to check a queue in mysql.
In our case we chose to built a custom IMAP-like protocol for integrating with the Android app so 2 way communication would work without any extra steps.
But this project is definitely something that I'll look into supporting as well. The point of our software is to make integration as easy as possible by supporting as many protocols and devices as possible.
That’s actually relatively cheap, considering SMS prices used to be much higher than that until the EU enforced a hard limit of 10ct per SMS as maximum price.
Confirming the EU costs as circa 10c per SMS. Varies slightly by provider (twillio, AWS, ..), country, and perhaps exchange rate (if you pay in USD, billing may be fixed in EUR)
From a security point of view, if you're using anything before LTE?, the carrier verifies the SIM, but the SIM doesn't verify the network, which means your devices could get tricked into sending through a rogue network that could see your 2fa codes and destinations. Similarly, I don't remember when mobile network cryptography got good, but older networks are definitely eavesdroppable. You don't want your 2FA codes eavesdroppable beyond the minimum footprint for obvious security reasons; carriers visibility is unavoidable with SMS 2FA, but maybe there's a gain with a device you control vs an aggregator (and aggregators commonly use other aggregators for some of their routes), although you really can't know how a carrier delivers messages destined for other carriers.
If you're going to do this, you need to do it as part of a system where you use many providers and monitor success.
If the rate is high, it's almost certainly going to get blocked. But then, it may work better for some destinations than any commercial provider. Or it might continue to work when the commercial providers have outages, or the carriers do maintenance on their external connectors.
Some of the SMS aggregators use regular SIMs to send some messages, or contract with others to do so, it's generally called a grey route. Usually with more specialized equipment and more SIMs, but same basic idea.
Not exactly a security issue per se but ordinary SIM cards/phone numbers are intended for personal use and are limited in how many messages you can send per minute/hour/day.
When your messages are blocked, your 2FA obviously fails.
I send more than half of my SMS from the UNIX command line and don't touch a phone at all.
I have 'sms' shortcuts defined as shell aliases and those aliases call 'curl' commands that hit twilios endpoint and fire off the SMS from my "mobile number" which is, of course, a twilio number.
So I can SMS people while flying on a plane or abroad without a proper SIM card ... or at my house where I have no mobile coverage.
You may not find this specifically addressed in a contract. Instead, there may be a generic statement about personal use.
"Personal" use implies limits of some sort imposed by the carrier --- often as they see fit. A person can't reasonably compose and send SMS at a rate of more than 3 or 4 per minute on average.
person can't reasonably compose and send SMS at a rate of more than 3 or 4 per minute.
People at least used to use SMS as essentially a chat protocol, with each message often being only 1 or 2 words. 10+ messages pr minutes could easily be reached if you where having a conversation with someone.
10+ messages per minute might be reasonable in a conversation with a single individual/phone number. The same with all different numbers may not.
The point is that the actual definition for "personal" use may vary by carrier but be aware there is one. If you are sending "too many" messages to "too many" different numbers, you are likely to be cut off.
There is also SMSHub (https://github.com/juancrescente/SMSHub) which, as far as I see, does the same but additionally is able to deliver incoming messages to an API endpoint.
More than this what I want is complete control over sending audio to my mic. Apart from the Phone app I don't think there's any way to intercept a call with a default message or anything else. Only the Pixels with that Assistant can do this on Android AFAIK.
There's something fishy:
1) at the download apk page it does talk about GPS tracking...
2) the apk in the file name has "noAnalytics" but when fired up there were found references to analytics and Google connections
Can someone please explain what a gateway means i simple terms? When I think of a gateway, I generally visualize it as a door to a home. In software what is a gateway and what does it do?
Hi @hi41, this is almost the same in computer terms. This app opens up a "door" or a "path" for another application on the network to send and receive SMS's via your Android phone. So you could have software on your computer, that uses the gateway on your phone, to send and receive SMS's.
Thank you for your response. How is this different from a port which is used for communication over tcp/ip? Isn’t a port used for another client to connect.
A port is a destination. The gateway is the program listening on this port and rerouting requests elsewhere. Usually after adjusting for something or simplifying talking to old/new equipment/services. Internet is just one way of communication. Often a gateway enables talking between different communication ways.
While this is neat, you’ll be in for an uphill battle with the Google Play Store if you need the permissions listed in its derived project at https://github.com/klinker41/android-smsmms.
I developed an app to automate SMS text messages and getting Google’s approval to send SMS messages was more difficult than writing the actual app.
I have been looking for something like this, I built something similar but it used android debug bridge and a webserver on the laptop the device is tethered to. But I always wanted it as an android app.
I built one, way back (I'm not an Android dev, kind of hacked it together but on the positive side it's extremely simple: https://github.com/niryariv/KalSMS )
At the time there were a lot of developing countries projects using SMS as their main interface (a lot of work with community health workers etc). Orgs like the UN would set up an SMS gateway by hooking a desktop with some hardware, and of course it would be very vulnerable to stuff like power outages, someone tripping over the wires etc and you had to get the technician to set it up again. With smartphones you had the all the required setup in one cheap, small and very durable package, no training required to operate.
Can you receive SMS from apps that aren't the default SMS handler on modern versions of Android? I seem to recall Google putting a bunch of silly restrictions on it to the point where there wasn't even a permission you could grant if you wanted to.
In Norway, there is a thing called "BankID on mobile", which is used for 2FA by government services, along with any companies requiring authentication with person's ID. Examples: banking, insurance, health and vehicle registration: you initiate a log in using either your personal ID or a combo of phone number+birthdate, and you receive this interactive, full-screen flash SMS asking you to ensure that a certain word combo matches, and to confirm the action with your PIN. To be clear, the interactive part does not come with some app, but it's a feature built into most smartphones.
This thing drives me nuts when traveling: it is slow when abroad and costs money. What's worse, is that it only works with a physical SIM, so I can't easily use a local SIM abroad. There is an alternative way of authenticating using a code-generating unit, but it is not perfect - you can only have one of them at a time, they're really fragile and non-waterproof.
What I'd like would be to leave my SIM at home, preferable inside of a hardware SIP gateway from Aliexpress, and proxy those prompts through a Telegram bot.