Researchers Highlight Potential Security Risk to iOS Users
Android usually gets smacked around for playing host to mobile malware, but iOS isn’t totally immune, according to researchers at Skycure Security.
iOS profiles, aka mobileconfig files, are used by mobile carriers to configure key settings for e-mail, Wi-Fi, and other features. But these files could be abused by attackers to sneak past Apple’s normally tight security and and hijack a mobile device, the security firm revealed in a blog posted today.
The process would be similar to that of a typical malware infection.
An attacker might tempt users to visit a malicious Web site by promising something for free. To get the free item, the victims are asked to install a mobileconfig file that will set up their devices. That malicious profile then gives the attacker full access to the device.
Like most phishing attacks, the success rate depending on whether or not enough users fall for the scam.
But a survey carried out by Skycure found that a number of mobile carriers do ask their users to install mobileconfig files in order to receive access to data plans. That process, however, doesn’t always employ tight security, according to Skycure.
The security firm uncovered one such process at several AT&T stores:
As pay-as-you-go clients who own an iPhone, we were directed to download and install profiles on our own devices. According to AT&T’s instructions, users are advised to download a profile from http://unlockit.co.nz via an unencrypted channel. The installation of this mobile configuration, which configures APN settings on the device, is mandatory for granting access to AT&T’s data network. In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public wi-fi network, which is an easy target for man-in-the-middle attacks.
Those man-in-the-middle attacks can change the mobileconfig file to a malicious version, allowing the device to be compromised. Skycure said it alerted AT&T to the issue and believes the carrier will tighten its process for installing mobileconfig files at its stores.
Skycure also offered three pieces of advice for iOS users downloading mobileconfig files:
1) You should only install profiles from trusted websites or applications.
2) Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).
3) Beware of non-verified mobileconfigs. While a verified profile isn’t necessarily a safe one, a non-verified should certainly raise your suspicion.
CNET contacted Apple for comment and will update the story if the company responds.