Security firm says iOS configuration profiles pose malware threat

By , Mar 13, 2013

ios 6 configuration profile

Last week, Apple’s Marketing SVP Phil Schiller tweeted out a link to a mobile malware report that showed Android devices accounted for a staggering 79% of new mobile threats last year, while iOS devices accounted for just 0.7%.

Of course, the fact that he tweeted the link was far more surprising than the report’s data. After all, we’ve known for years that Android is far more susceptible to mobile malware than iOS. Right? Security experts say not so fast…

The Next Web‘s Matthew Panzarino points to a new report from security firm Skycure that highlights and details, what they are calling, a major security vulnerability for iOS: configuration profiles.

What is a configuration profile? It’s a tiny file that has the ability to alter settings in iOS. Everyone has seen them at one point or another. Apple used to use them to deliver patches, and carriers sometimes use them to distribute updates.

But according to Skycure, if used maliciously, these profiles can be very dangerous. Even though their use is approved by Apple, they aren’t subject to the standard ‘sandboxing’ rules that apply to third party App Store apps and websites.

To demonstrate the danger, Skycure setup a fake website with a prompt to install a configuration profile and sent the link out to Panzarino. After installing it, he found out they were able to pull passwords and other data without his knowledge.

“After the profile was installed, Sharabani demonstrated to me that he could not only read exactly which websites I was visiting, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.”

Should you panic? No. You have to actually install these ill-willed profiles for your device to be susceptible to the above behavior. But it’s not hard to imagine ways to tempt users into doing that: “Free music and movies, install app now.”

The big takeaway here is really to just make sure you avoid installing configuration profiles from unknown or sketchy sources. Considering how much they’re used, we don’t imagine Apple will be getting rid of them anytime in the near future.

  • Share:
  • Follow:
  • wonderboydave

    used them to install siri proxy, change APN settings for my straight talk service; I can see where this can lead to, but yeah just use your head and common sense to know what’s a legit source compared to a sketchy source.

    • NoUsernamesFree

      > common sense to know what’s a legit source compared to a sketchy source
      Incidentally, that advice pretty much avoids getting the Android malware that Phil Schiller tweeted his link about too.

      • felixtaf

        But none of the apps in appstore will ask you to install profile (i have never encountered one), unlike the apps in playstore with malwares!

  • https://twitter.com/MrElectrifyer MrElectrifyer

    Hold up, grabbing my pop corn.

    And…action!

  • http://www.youtube.com/TheAznDVD TheAsianDVD

    I always wondered if the configuration profiles could ever be used maliciously. Well, now I know. I think Jailbreakers are a little more at risk than others because sometimes we have to install some profiles for some tweaks and stuff like that. So, be safe out there and good post. Keep up the good work.

    • Chuck Finley

      …what? I’ve never had to install a config profile for any tweak I’ve ever installed.

      • http://twitter.com/kev0224 Kevin Lam

        Siri tweaks

      • Guest

        Siri Tweaks don’t require Profiles. Siri Servers do.

      • http://www.youtube.com/TheAznDVD TheAsianDVD

        I meant just siri servers sorry for the confusion

  • Jeffrey Yeo

    Rule of thumb – do NOT install anything that you are not sure or feel suspicious of.

  • http://twitter.com/Jack_maredit Jackson Grong

    I have to use a profile to set up the apn for thetering, because every time I trype the thetering apn it deletes itself!
    Anyone having the same issues?

  • http://twitter.com/phillip_is phillip.

    How can I remove a profile? I don’t have any currently running on my iPhone 5. However, on my iPhone 4s I used to have a couple. I could not figure out how to delete them though. I ended up having to restore my phone. Is there a simple way on iOS 6 to delete these profiles?

    • V35

      Go to setting’s depending look at General should have a tab to remove if all else DFU restore just to be sure..

  • Luis Finke

    I wonder if you could exploit that to create a jailbreak…