Researchers Highlight Potential Security Risk to iOS Users
Android usually gets smacked around for playing host to mobile malware, but iOS isn’t totally immune, according to researchers at Skycure Security.
iOS profiles, aka mobileconfig files, are used by mobile carriers to configure key settings for e-mail, Wi-Fi, and other features. But these files could be abused by attackers to sneak past Apple’s normally tight security and and hijack a mobile device, the security firm revealed in a blog posted today.
The process would be similar to that of a typical malware infection.
An attacker might tempt users to visit a malicious Web site by promising something for free. To get the free item, the victims are asked to install a mobileconfig file that will set up their devices. That malicious profile then gives the attacker full access to the device.
Like most phishing attacks, the success rate depending on whether or not enough users fall for the scam.
But a survey carried out by Skycure found that a number of mobile carriers do ask their users to install mobileconfig files in order to receive access to data plans. That process, however, doesn’t always employ tight security, according to Skycure.
The security firm uncovered one such process at several AT&T stores:
As pay-as-you-go clients who own an iPhone, we were directed to download and install profiles on our own devices. According to AT&T’s instructions, users are advised to download a profile from http://unlockit.co.nz via an unencrypted channel. The installation of this mobile configuration, which configures APN settings on the device, is mandatory for granting access to AT&T’s data network. In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public wi-fi network, which is an easy target for man-in-the-middle attacks.
Those man-in-the-middle attacks can change the mobileconfig file to a malicious version, allowing the device to be compromised. Skycure said it alerted AT&T to the issue and believes the carrier will tighten its process for installing mobileconfig files at its stores.
Skycure also offered three pieces of advice for iOS users downloading mobileconfig files:
1) You should only install profiles from trusted websites or applications.
2) Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).
3) Beware of non-verified mobileconfigs. While a verified profile isn’t necessarily a safe one, a non-verified should certainly raise your suspicion.
CNET contacted Apple for comment and will update the story if the company responds.
Source: http://news.cnet.com/8301-13579_3-57573765-37/researchers-highlight-potential-security-risk-to-ios-users/?part=rss&subj=news&tag=title
Related Items
Google didn't announce the latest version of Android at I/O, their annual developer conference, leaving our devices feeling sad and unloved. Android 4.3 may still be on the way soon, but for now, here's what we wish they announced—and how you can get many of these fe... Read More
When it comes to mobile gaming, the vast majority of gamers aren’t choosing a dedicated mobile gaming console, they are using smartphones and tablets. It’s also no surprise when you step back and consider that the Android ecosystem is by far large the most popular... Read More
(Reuters) - Overtaking Apple Inc as the world's leading maker of smartphones has stretched Samsung Electronics Co's in-house supply lines, and the South Korean firm is now courting some of its rival's main parts suppliers. After costly courtroom battles over techno... Read More
(Reuters) - Apple Inc CEO Tim Cook will propose tax changes that would encourage firms to bring home more of their offshore funds when he faces congressional queries next Tuesday over his company's overseas cash holdings and tax bills, the Washington Post reported. ... Read More
