Israeli firm Skycure Security on Wednesday published a proof-of-concept vulnerability report on the company blog (via InformationWeek). Skycure's report shows how malicious users could leverage iOS profiles, also known as mobileconfig files, in order to circumvent Apple's malware protections.
Malicious apps are filtered in the App Store approval process, making it more difficult than on other platforms for them to get onto iDevice users' machines in the first place. Furthermore, iOS' sandboxing structure makes it difficult for apps to access anything outside of their set permissions. Mobileconfig files, though, are used by cellular carriers, Mobile Device Management solutions, and some mobile applications to configure certain system-level settings for iOS devices, including Wi-Fi, VPN, email, and APN settings.
Skycure claims that, with a bit of social engineering, an attacker could get victims to download a malicious iOS profile. The attacker could do so by, for example, promising a user access to popular movies and TV shows on an attacker-controlled website. The user would install an iOS profile to "configure" their devices accordingly, and the attacker would then have access.
With access to the user's device, an attacker could route all of the victim's traffic through the attacker's server or install root certificates on the victim's device, allowing for interception and decryption of SSL/TLS secure connections.
Skycure also notes that some AT&T stores, in signing up customers for pay-as-you-go accounts, were directing those customers to download and install a profile from unlockit.co.nz on an unencrypted channel. The installation of that mobile configuration is necessary to get access to AT&T's data network, but downloading a mobileconfig file in such a manner, Skycure says, leaves users wide open to man in the middle attacks, especially when performed over a public Wi-Fi network.
Skycure recommends that iDevice users only install profiles from trusted websites and applications and do so only through a secure channel, indicated by an address beginning with https. The firm also recommends wariness when faced with a non-verified mobileconfigs, calling them cause for suspicion.