While a variety of sources have published a story accusing the iPhone 3.0 software of broadcasting instant messages to random iPhones, in reality this exploit affects only users who have hacked their phone and made it vulnerable.

The problem allegedly occurs through AOL Instant Messenger’s push feature in phones that have been jailbroken (allowing the use of unauthorized software) and unlocked (allowing the phone to be used on a non-approved carrier). However, it is not yet clear exactly what causes the issue, though Till Schadde, who discovered the exploit, said AOL officials told him the problem is not on their side.

Till discovered the exploit by sending an AIM message to an iPhone using iChat on his Mac OS X desktop. He said his message appeared not only on the iPhone 3G of the intended recipient, but also on the iPhone 3GS of a complete stranger.

But without user tampering, the iPhone’s security layer actually prevents this sort of incident from happening. With the security layer gone, messaging becomes more dicey, it seems.

Apple’s Push Notification Service (PNS) is based on XMPP Publish-Subscribe, an open specification for delivering updated feeds of information using Jabber-style instant messages.

In order to secure the delivery of these messages, Apple uses SSL certificates to securely authenticate the client with the service, similar to how HTTPS websites authenticate themselves to visitors to enable SSL-secured banking, shopping, or other transactions. The iPhone automatically generates itself a private and public key pair, and uses these to register itself with Apple’s PNS servers and secure all of its subsequent transactions. The private key and public certificate work together to act as identifying credentials, like a user name and password.

Without having such a mechanism for authenticated identity in place, the iPhone would be deluged by marketers sending push message spam to users, just as spammers have long targeted email, SMS, and Microsoft’s Windows Messaging popups, none of which included any inherent security in their designs. Apple’s security system prevents users from receiving push message notifications from anyone apart from the system and applications the user explicitly approves.