Configuration profiles can be installed on the iPhone, iPod touch, or iPad in order to help Apple diagnose things like battery life problems and to change settings for certain types of network access, among other things. Unfortunately, like many empowered conveniences, they bring with them theoretical security concerns. Namely, bad guys could make a malicious profile and try to trick us into installing it so they can do us harm. Skycure -- a security vendor, keep in mind -- reports:
Matthew Panzarino of The Next Web went through a demo:
To be clear, like any human engineering attack we -- the user -- has to install the malicious profile. It's not dissimilar to Phishing attacks or web popups on Windows or Mac PCs that claim account problems or promise free movies, porn, gadgets, or other scare tactics/enticements to get us to click/tap and install them on our systems. That's because they're not allowed installing themselves, we have to inject them ourselves.
For configuration profiles, you need to tap a link to initiate the install, then confirm the install in a modal pop-up dialog. In some cases, if you have a Passcode set, it might ask for that as well. Two user actions required, maybe three. The certificate also shows what it is going to do. For example, Panzarino's showed VPN settings. That means all his traffic would be sent through someone else's Virtual Private Network. If you're not sure what something means, Google and places like the iMore forums are your friend.
So, just like with desktop web browsers, we have to be careful what we click/tap on. The same advice always applies, be it in real life or virtual systems. Don't talk to strange configuration profiles. Don't take candy from them and don't help them find lost pets.
In other words, don't be panicked, but absolutely be careful. Hit the link below for more on how this works and what you need to look out for.
Update: Nick Arnott pointed out I was conflating configuration and provisioning profiles in the article, and that provisioning profiles -- the kind developers issue for ad hoc/beta apps -- likely aren't susceptible to this type of attack.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.