iOS user security threatened by malicious profiles, researchers contend

March 12, 2013 | By Jason Ankeny

While Apple's (NASDAQ:AAPL) walled-garden ecosystem has traditionally spared its iOS mobile operating system from the malware threats plaguing Google (NASDAQ:GOOG) open-source Android platform, researchers say that iOS device profiles used by mobile operators could offer hackers a means to attack iPhones.

In a blog post published Tuesday, security firm Skycure explains that carriers, mobile device management services and even some mobile applications use iOS profiles--a.k.a. mobileconfig files--to help configure key system-level settings on Apple devices. "These include Wi-Fi, VPN, email and APN settings, among others," Skycure states. "While mobileconfigs are usually used for constructive needs and thus provide a lot of value, these same capabilities might be used by malicious attackers to circumvent Apple's security model and perform significant damage to their victims."

According to Skycure, malicious profiles could be used to remotely control mobile devices, monitor and manipulate activity, hijack user sessions and install root certificates making it possible to seamlessly intercept and decrypt secure connections used by most apps to transfer sensitive data. "A few concrete impact examples include: stealing one's Facebook (NASDAQ:FB), LinkedIn, mail and even bank identities and acting on his/her behalf in these account, potentially creating havoc," Skycure notes.

Attackers might fool consumers into downloading malicious profiles by promising them free access to premium content in exchange for installing an iOS profile that will "configure" their device accordingly or sending them a message promising "better battery performance" or "something cool to watch" upon installation.

"We identified another possible infection vector, which can prove to be very effective due to its reliance on the trust between customers and their service providers," Skycure adds. "A quick survey we did uncovered a variety of cellular carriers, many of them MVNOs, that ask their clients to install mobileconfig files in order to receive data plan access; unfortunately, these processes usually involve poor utilization of security measures."

Skycure notes it witnessed problematic iOS profile installation processes at several AT&T Mobility (NYSE:T) stores that researchers visited, subsequently notifying and working with the operator to address its findings.

Apple did not immediately respond to questions on the topic.

Just last week, Apple Senior President of Worldwide Marketing Phil Schiller took a potshot at Google following a report that Android is to blame for 79 percent of all mobile malware threats identified last year. "Be safe out there" Schiller tweeted, linking to an F-Secure study reporting a significant jump in Android malware between 2011 and 2012.

For more:
- read this Skycure Security blog entry
- read this Next Web article