Another thing to look out for with SMS to a friend is allowing the sender to enter in their name. You must ensure the name data is checked by the server to not include any misleading data.
“Your friend John has sent you a link http://coolstuff.mobi/212322. Check out more cool stuff at coolstuff.mobi”
The form to send this required a destination mobile and name, imagine the following variations on “John”:
“Your friend John called on 199100100 and also has sent you a link http://coolstuff.mobi/212322. Check out more cool stuff at coolstuff.mobi”
Of course 1991100100 would be some premium rate number. All ofthese exploits are well known in the web world, the mobile world adds the added problem of it being relatively easy to extract money from the innocent mobile user.
Clean all data submitted in forms, remove all URLs including click to call URLs like “tel:” and “wtai://wp/mc;”