Reports are circulating about a supposedly new iOS security vulnerability that involves a mobile device management (MDM) "hijack". Apple provided iMore with the following comment:
"This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile and then installing an app," an Apple spokesperson told iMore. "This is not an iOS vulnerability. We've built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we've put in place before they choose to download and install untrusted content."
From what I've seen, and based on my understanding of what's going on, Apple is correct. This looks like a traditional phishing/social engineering attack that attempts to trick someone into installing malware. And to do it successfully, that somone has to tap through multiple screens, ignore iOS' unverified developer warning and all common security best-practices, and confirm the installation.
In other words, it's like telling a bank manager you're the exterminator and getting them to let you into the vault, then claiming the lock is vulnerable to picking. It's no such thing. The person is vulnerable, and that's always the case in any system involving humans.
There's an argument to be made that Apple should warn people again before app launching any enterprise apps installed this way. That's part of the constant struggle between convenience and security, where some will complain if there are not enough warnings and others if there are too many. If you tell someone there's a free game or adult content or something else they know is dodgy but still want, however, they'll blow through three or four warnings almost as quickly as two. Because, people.
Again, there's nothing new or novel about any of this that I can see. Phishing and social engineering attacks are something we've been warning people about for years and years. It's like getting an email asking you to verify your iCloud or Gmail login, your credit card or Amazon account details.
It's why we always tell people never to click or tap on links in an email and to only ever download apps from a trusted source like the App Store.
In this specific case, it appears to be even less of a concern for most people, since it's targeting people already using MDM, which is by no means the majority of iPhone or iPad users.
So, as always, stay informed but also stay critical. Don't let researchers or reporters steal your attention through fear-mongering. More often than not, that's the real malware.
We may earn a commission for purchases using our links. Learn more.
European consumer group demands compensation from Apple over batterygate
A consumer association is demanding compensation from Apple over claims it slowed down user's iPhones.
iPhone 12's 'high-end' camera production 4-6 weeks behind schedule
Estimates suggest production is currently 4-6 weeks behind.
Analyst claims Apple has a 10-year lead in wearables, and that's being kind
Apple analyst Neil Cybart has a new, lengthy post up touting Apple's wearables market amongst other things.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.