Researchers highlight potential security risk to iOS users

Though Apple's mobile OS is often thought of as impervious to malware, hackers could potentially control a device using a malicious iOS profile, says Skycure Security.


Android usually gets smacked around for playing host to mobile malware, but iOS isn't totally immune, according to researchers at Skycure Security.

iOS profiles, aka mobileconfig files, are used by mobile carriers to configure key settings for e-mail, Wi-Fi, and other features. But these files could be abused by attackers to sneak past Apple's normally tight security and and hijack a mobile device, the security firm revealed in a blog post today.

The process would be similar to that of a typical malware infection.

An attacker might tempt users to visit a malicious Web site by promising something for free. To get the free item, the victims are asked to install a mobileconfig file that will set up their devices. That malicious profile then gives the attacker full access to the device.

Like most phishing attacks, the success rate depending on how many people fall for the scam.

But a survey carried out by Skycure found that a number of mobile carriers do ask their users to install mobileconfig files in order to receive access to data plans. That process doesn't always employ tight security, according to Skycure.

The security firm uncovered one such process at several AT&T stores:

As pay-as-you-go clients who own an iPhone, we were directed to download and install profiles on our own devices. According to AT&T's instructions, users are advised to download a profile from via an unencrypted channel. The installation of this mobile configuration, which configures APN settings on the device, is mandatory for granting access to AT&T's data network. In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public wi-fi network, which is an easy target for man-in-the-middle attacks.

Those man-in-the-middle attacks can change the mobileconfig file to a malicious version, allowing the device to be compromised. Skycure said it alerted AT&T to the issue and believes the carrier will tighten its process for installing mobileconfig files at its stores.

Skycure also offered three pieces of advice for iOS users downloading mobileconfig files:

1) You should only install profiles from trusted websites or applications.

2) Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).

3) Beware of non-verified mobileconfigs. While a verified profile isn't necessarily a safe one, a non-verified should certainly raise your suspicion.

CNET contacted Apple for comment and will update the story if the company responds.

(Via The Next Web)

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Details about Apple's 'spaceship' campus from the drone pilot who flies over it

MyithZ has one of the most popular aerial photography channels on YouTube. With the exception of revealing his identity, he is an open book as he shares with CNET's Brian Tong the drone hardware he uses to capture flyover shots of the construction of Apple's new campus, which looks remarkably like an alien craft.

by Brian Tong