Alice pays Bob 1 BTC with a simple pay-to-address type transaction. Three seconds after Alice broadcasts her transaction, Bob's Simplified Payment Verification (SPV) wallet displays a message saying the transaction was received.
How exactly does this work? What checks, if any, does Bob's wallet do before showing the message?
A lot of the SPV documentation I've seen makes vague statements about "height" vs. "depth" verification. These discussions aren't helpful because they don't describe the actual process.
The clearest statement I've found appears on the BitcoinJ documentation (under "Pending transactions"):
... However, in SPV mode the only reason you have to believe the transaction is valid is the fact that the nodes you connected to relayed the transaction. If an attacker could ensure you were connected to his nodes, this would mean they could feed you a transaction that was completely invalid (spent non-existing money), and it would still be accepted as if it was valid.
In other words, complete trust is placed in the network to only relay valid transactions. The network isn't supposed to relay double spends or transactions spending bogus coins. Therefore, the relay, and only the relay, vouches for the validity of the unconfirmed transaction. If an attacker can control your internet connection (through a WiFi hotspot, or VPN, for example), then he can send you fake unconfirmed transactions and rip you off.
Is this how SPV nodes handle unconfirmed transactions?
It seems like an SPV node could do better. For example, couldn't Bob's wallet verify that the coins being spent existed at one time? Request the Merkle path and transaction for all outpoints referenced in the unconfirmed transaction's input list. If the parent transactions can't be found, Alice's transaction is trying to spend bogus coins.
Could a similar mechanism be used to further verify that Alice's unconfirmed transaction doesn't double spend coins?
If neither of these checks are possible today, what would need to happen for them to become possible?