Did Apple Take The Time To Think This one Through?

I'm sure they thought this through very clearly. And if you did any research on iOS 11.2, you'd have known when you downloaded it that Apple Pay Cash was coming. There was nothing wrong with your phone, all you had to do was tap Continue to be taken to the page where you could either set up Apple Pay Cash or turn it off.

I suppose anything IS possible. But there are currently no ways a text message, even one you click on can deliver a threat to your phone. iOS is a completely closed system and is designed as such to save you from having scams take over your phone. The worst case scenario would be clicking a link taking you to a web page that says it's taking over your phone. It can't. And all you have to do is force close safari and clear your cache in Safari settings. You really had nothing to fear from tapping continue in the message Apple sent you. Nothing at all.

Simply tapping the response has no security “implications” of any kind. Simply tapping a response button cannot and will not compromise your device or data.

cyberdoc2015 wrote:

.... Upon entering the Messages App, I am presented with a pop-up informing me that I can send money to people using Apple Pay. The only option I am presented with is a “Continue” button. Not knowing where this will lead, I try to get rid of the pop-up. I try to swipe up and down, right and left. I exit the Message App and return. I totally power down my phone, power it up and return to Messages. All to no avail. No matter what I try, each time I go into Messages, the pop-up returns.

Personally I think this highlights one of the problems with recent features in iOS and mac OS whereby certain features are naturally promoted to you but dialogue screens can be rather vague - were it malicious the button could say Skip/Not Now or anything and still activate the malicious payload, so other options might not help if there were an exploit, but the effect of Continue type buttons is ambiguous - does that lead to it being enabled automatically or take you to a screen to activate or decline. Trouble is you don't know until you do it.

I don't think the average user can be bothered to read T&Cs/feature announcements for updates that generally download automatically and nag you to install them every so often, many users probably just update to stop the nagging popups (which intrinsically is wise for security reasons but may have side effects).

In many ways going into Messages after the update is the ideal place to be informed and enable such a service, though I suspect some of us would prefer to search for the appropriate Settings and enable manually from there without being prompted for a feature you may not even want to enable, but this kind of thing is commonplace in most systems these days. On the flipside Apple would probably have incessant moans if the feature was hidden in Settings from those who like things set up more automatically....

cyberdoc2015 wrote:

I would like to make sure I understand you and Michael clearly. Are you stating that it is unequivocally impossible for a malicious actor to develop a malicious payload that is delivered via the Messaging App, and activated by clicking on a facet of the delivered item, or are you saying there is no currently known exploit of that nature?

Yes, that is exactly what I’m saying. Neither the SMS texting protocols nor Apple’s internet messaging protocols can be used that way - to deliver executable code. The very worst they can do is include a URL to a phishing web site.

True, but the flaw in your link was patched long ago, and has never been recorded as actually being used in the Wild. It was identified as a theoretical threat and patched before, as far as anyone knows, it was actually used by anyone.

There are no known malicous text message hacks in the wild and none identified for ios 9.3.3 or newer.

The op, IMO, is grasping at air here.

I think the bottom line is something he wasn't expecting worried him and made him take measures to protect his passwords/accounts - turns out to be a false alarm and a nuisance but I guess we might all do a similar thing if we felt concerned. I certainly know I've occasionally found things on OS X/mac OS that have slightly twitched me, but I've generally been fortunate to find the answer online before making radical changes to accounts passwords.

Apple will not respond to your post.

Product Feedback - Apple

Because you chose to ignore the message. That's on you, not Apple. If this is such a big deal to you, provide feedback to Apple via this link: Feedback - iPhone - Apple

You clearly don't really know what you're talking about. As Michael pointed out and as I said earlier, there was no security risk. Apple iPhones can't be hacked via a text message.

11.2, which you agreed to download was very specific that Apple Pay Cash was included. It shouldn't have to tell you a message would popup in your messages (though that's a very logical place for it to appear). I'm not sure I get what your beef is with Apple notifying you can set up a new service they rolled out, which you should have had some awareness was being offered to begin with.