Configuration profiles can be installed on the iPhone, iPod touch, or iPad in order to help Apple diagnose things like battery life problems and to change settings for certain types of network access, among other things. Unfortunately, like many empowered conveniences, they bring with them theoretical security concerns. Namely, bad guys could make a malicious profile and try to trick us into installing it so they can do us harm. Skycure -- a security vendor, keep in mind -- reports:
A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions. In addition to being able to route all of the victim’s traffic through the attacker’s server, a more interesting and hazardous characteristic of malicious profiles is the ability to install root certificates on victims’ devices. This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data. A few concrete impact examples include: stealing one’s Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these account, potentially creating havoc.
Matthew Panzarino of The Next Web went through a demo:
After the profile was installed, [Skycure CEO Adi Sharabani] demonstrated to me that he could not only read exactly which websites I was visiting, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.
To be clear, like any human engineering attack we -- the user -- has to install the malicious profile. It's not dissimilar to Phishing attacks or web popups on Windows or Mac PCs that claim account problems or promise free movies, porn, gadgets, or other scare tactics/enticements to get us to click/tap and install them on our systems. That's because they're not allowed installing themselves, we have to inject them ourselves.
For configuration profiles, you need to tap a link to initiate the install, then confirm the install in a modal pop-up dialog. In some cases, if you have a Passcode set, it might ask for that as well. Two user actions required, maybe three. The certificate also shows what it is going to do. For example, Panzarino's showed VPN settings. That means all his traffic would be sent through someone else's Virtual Private Network. If you're not sure what something means, Google and places like the iMore forums are your friend.
So, just like with desktop web browsers, we have to be careful what we click/tap on. The same advice always applies, be it in real life or virtual systems. Don't talk to strange configuration profiles. Don't take candy from them and don't help them find lost pets.
In other words, don't be panicked, but absolutely be careful. Hit the link below for more on how this works and what you need to look out for.
Source: Skycure, The Next Web
Update: Nick Arnott pointed out I was conflating configuration and provisioning profiles in the article, and that provisioning profiles -- the kind developers issue for ad hoc/beta apps -- likely aren't susceptible to this type of attack.
Reader comments
Configuration profile warning reminds us not to carelessly tap and install things on our iPhones and iPads
My only experience with such kind of stuff was with Onavo (not sure about the name), a service that promised data compression over 3G for savings or reaching your data cap slower. Well, it kind of worked, but messed other things like I couldn't connect to the Wifi at work and things like that.
Even if this app was legit, now I stay away from these things unless I really know what I'm doing which is... not the case ;)
I use Onavo too! I had the same issue with connecting to my school wifi. That resulted in me turning VPN off until I had to use my cellular plan. My school blocks pretty much everything so I'm guess that's why it didn't work.
Onavo used to use a configuration profile that would change the iPhone's APN from your wireless carrier's to the Onavo servers. Yes, that did screw things up like when trying to authenticate to Wi-Fi networks that have a pop-up agreement ("Yes, I agree to abide by - blah-blah"). Now, they've switched over to a configuration profile that has an on-demand VPN connection. It works much better now and doesn't screw with the Wi-Fi or the voicemail or text messaging, and supposedly bypasses going to their servers when on Wi-Fi.
I thought configuration profiles were safe to install! Thanks for the warning! I do find myself using the iMore app a lot now, thanks!
I didn't know that they could change your settings; that's kinda scary. I never heard of Onavo, but I do use Feature Points. It's not so much an app as much as me installing a certificate. I use it to download apps which let me earn points to buy gift cards. So far I'm almost at 10$. It's pretty good. However, I have never beta tested an app, nor do I see myself doing so in the future. I'm not that lucky, so I don't think I have much to worry about.
Seems like the typical user wouldn't have to worry about this though which is good. Most users I bet didn't even know this was an option.
Great security tip Rene from you and your 3rd party people you mention in the article. Thank you for the heads up and explanation on what all this means.
I do not beta test like you do and do not plan to download any beta material but last week I called Apple tech support based on advice from a friend in the forums to diagnose my phone while I was on a land line to scratch an itch I had and another with severe battery issues.
Apple sent me an SMS with a link I clicked on and in secs they had all my info except private info and could tell me exactly what my phone was doing including the state of health of my battery. I was good all the way around. I passed this info on to my friend with the battery woes in the forum in the hopes that he could get the same help I did.
Thanks again for the info.
i guess a pushed vpn can be easily removed from settings, or they would need to install iphone configuration utility to clear/reset the profile to remove any unwanted installs.
Good security tip. Another one is to fully research stuff before installing. If you don't know what it is up front and it doesn't have a good reputation, you should probably stay away from it.
Thanks for reminding us of this. I've got profiles from beta tests so it was a good reminder to check it.
I remember when some guy hacked the App Store and allowed people to get paid stuff for free. The hacker wanted to have the user install a configuration profile that redirected App Store authentication requests. How scary is that?! Giving your Apple ID and password, and he was assuring that there was no logging or monitoring from his end. I didn't buy into that, so I didn't even bother trying.
As always, looking out for user security and personal data protection. iMore's Awareness to such vulnerabilities is greatly appreciated! Thank you Rene!