Configuration profiles can be installed on the iPhone, iPod touch, or iPad in order to allow ad hoc (beta) apps to run, to help Apple diagnose things like battery life problems, and to change settings for certain types of network access, among other things. Unfortunately, like many empowered conveniences, they bring with them theoretical security concerns. Namely, bad guys could make a malicious profile and try to trick us into installing it so they can do us harm. Skycure — a security vendor, keep in mind — reports:
A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions. In addition to being able to route all of the victim’s traffic through the attacker’s server, a more interesting and hazardous characteristic of malicious profiles is the ability to install root certificates on victims’ devices. This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data. A few concrete impact examples include: stealing one’s Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these account, potentially creating havoc.
Matthew Panzarino of The Next Web went through a demo:
After the profile was installed, [Skycure CEO Adi Sharabani] demonstrated to me that he could not only read exactly which websites I was visiting, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.
To be clear, like any human engineering attack we — the user — has to install the malicious profile. It##Q##s not dissimilar to Phishing attacks or web popups on Windows or Mac PCs that claim account problems or promise free movies, porn, gadgets, or other scare tactics/enticements to get us to click/tap and install them on our systems. That##Q##s because they##Q##re not allowed installing themselves, we have to inject them ourselves.
For configuration profiles, you need to tap a link to initiate the install, then confirm the install in a modal pop-up dialog. Two user actions required. The certificate also shows what it is going to do. For example, Panzarino##Q##s showed VPN settings. That means all his traffic would be sent through someone else##Q##s Virtual Private Network.
So, just like with desktop web browsers, we have to be careful what we click/tap on. The same advice always applies, be it in real life or virtual systems. Don##Q##t talk to strange configuration profiles. Don##Q##t take candy from them and don##Q##t help them find lost pets.
I have a ton of MobileConfig##Q##s installed on my iPhones and iPads because I beta test a ton of apps. However, I only ever install them from developers I know and trust.
Don##Q##t be panicked, but absolutely be careful. Hit the link below for more on how this works and what you need to look out for.