{ "id": "f915d51f-87fb-4379-9a58-493452a6cd8a", "created_at": "2026-04-06T00:06:34.951538Z", "updated_at": "2026-04-10T03:20:16.343415Z", "deleted_at": null, "sha1_hash": "e3bacaa86af9972cbb14fb4bcd27075db835acbd", "title": "Malicious Profiles - The Sleeping Giant of iOS Security »", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159232, "plain_text": "Malicious Profiles - The Sleeping Giant of iOS Security »\r\nBy Posted by Yair Amit\r\nPublished: 2013-03-12 · Archived: 2026-04-05 23:34:03 UTC\r\nMalware is prevalent. Mobile malware is on the rise. We are used to the perception that Android users are always\r\nunder the threat of being attacked by malware and therefore should be highly suspicious about the software they\r\ninstall, while iOS users are immune and can enjoy the freedom of installing whatever they want without\r\nhesitation, due to Apple’s “walled-garden” approach. Well… this isn’t exactly the case.\r\nAs I’ll further discuss in this post, there is another way to create havoc on one’s device, which may be comparable\r\nto sophisticated malware, without actually installing a program on the device.\r\nBackground\r\nWhen discussing mobile malware, which keeps getting more attention as time goes, we usually think about\r\nAndroid. While the iOS app-store has been hit by viruses in the past, this phenomena is certainly negligible\r\nnowadays (though we believe this can change as well, more on that in future blog posts).\r\nThanks to Apple’s application review process and app sandboxing, iOS users are in a pretty good condition when\r\nit comes to security. The application review process makes it harder for attackers to insert malicious apps to\r\nApple’s App Store. Moreover, app sandboxing makes sure that malicious applications have limited permissions\r\nand capabilities if and when they reach to an iOS device. As demonstrated in the diagram below, a sandboxed\r\napplication has access to restricted resources and cannot change system-level settings.\r\nSource: Apple’s app sandbox design guide\r\niOS profiles, also known as mobileconfig files, are used by cellular carriers, Mobile Device Management\r\nsolutions and even mobile applications, in order to configure key system-level settings of iOS devices. These\r\ninclude Wi-Fi, VPN, Email and APN settings, among others. While mobileconfigs are usually used for\r\nconstructive needs and thus provide a lot of value, these same capabilities might be used by malicious attackers to\r\ncircumvent Apple’s security model and perform significant damage to their victims.\r\nImpact\r\nhttps://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/\r\nPage 1 of 4\n\nA malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and\r\nhijack user sessions. In addition to being able to route all of the victim’s traffic through the attacker’s server, a\r\nmore interesting and hazardous characteristic of malicious profiles is the ability to install root certificates on\r\nvictims’ devices. This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on\r\nwhich most applications rely to transfer sensitive data. A few concrete impact examples include: stealing one’s\r\nFacebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these account, potentially\r\ncreating havoc.\r\nWe actually created an online demo that demonstrates the aforementioned. We believe it can give a good sense of\r\nthe severity and ease of the attack. If you would like to get more information, feel free to leave us a note at\r\ncontact@skycure.com and we’ll gladly follow-up with you.\r\nInfection Scenarios\r\nLuring victims to install a malicious mobileconfig is rather simple, as attackers can utilize their accumulated\r\nknowledge in social engineering. Here are two examples for common techniques:\r\n1. Victims browse to an attacker-controlled website, which promises them free access to popular movies and\r\nTV-shows. In order to get the free access, “all they have to do” is to install an iOS profile that will\r\n“configure” their devices accordingly.\r\n2. Victims receive a mail that promises them a “better battery performance” or just “something cool to watch”\r\nupon installation.\r\nSample profile-based iOS malware attack\r\nNot surprisingly, the aforementioned is very similar to the way viruses have been circulating in the Internet for\r\nmany years now.\r\nHowever, we identified another possible infection vector, which can prove to be very effective due to its reliance\r\non the trust between customers and their service providers. A quick survey we did uncovered a variety of cellular\r\nhttps://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/\r\nPage 2 of 4\n\ncarriers, many of them MVNOs, that ask their clients to install mobileconfig files in order to receive data plan\r\naccess; unfortunately, these processes usually involve poor utilization of security measures. As part of our work,\r\nwe identified a worrisome process at several AT\u0026T stores, which is further described below. As part of our\r\nresponsible disclosure process, we notified and worked with AT\u0026T to address our findings. We would like to\r\nfurther mitigate the exposure for such threats by raising awareness among both AT\u0026T and non-AT\u0026T clients.\r\nInsecure iOS profile installation process: AT\u0026T as a case-study\r\nWe recently witnessed a problematic procedure at several AT\u0026T stores we visited. As pay-as-you-go clients who\r\nown an iPhone, we were directed to download and install profiles on our own devices. According to AT\u0026T’s\r\ninstructions (see below a copy of an instructions document we received from an AT\u0026T salesperson in Manhattan),\r\nusers are advised to download a profile from http://unlockit.co.nz via an unencrypted channel. The installation of\r\nthis mobile configuration, which configures APN settings on the device, is mandatory for granting access to\r\nAT\u0026T’s data network. In one of the stores, an AT\u0026T salesperson actually took our phone and performed the\r\naforementioned process via a public wi-fi network, which is an easy target for man-in-the-middle attacks.\r\nSource: AT\u0026T store, Manhattan\r\nWhat is wrong with the aforementioned process?\r\nDue to the capabilities of mobileconfig profiles, a connection to an external resource for the purpose of\r\ndownloading and installing profiles on iOS-based devices should always be thought of carefully. The specific\r\ninteraction with http://unlockit.co.nz is done over plain text (without an SSL/TLS encryption layer). As well\r\nknown, man in the middle attacks could be used to alter the mobileconfig downloaded to the phone, allowing the\r\nattacker to install a malicious mobileconfig on the user’s device without his/her consent or knowledge. This can be\r\neasily done by utilizing attacks such as ARP-poisoning and evil twin against the wi-fi network the customer uses\r\nfor installing the profile, such as AT\u0026T’s in-store wi-fi or an Internet cafe network.\r\nDuring our discussion with AT\u0026T’s security team on that matter, they expressed that AT\u0026T’s formal policy does\r\nnot allow prepaid iOS devices offerings. However, given the fact the AT\u0026T stores we visited didn’t seem to\r\nhttps://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/\r\nPage 3 of 4\n\nfollow this policy, we believe AT\u0026T will strive to better enforce it in its stores going forward. We would like to\r\nthank AT\u0026T’s security team for their cooperation and commitment to the security of AT\u0026T’s customers.\r\nEndnote\r\nBy taking into consideration the great amount of sensitive actions we perform and the data we store on our mobile\r\ndevices along with the ease of taking advantage of users’ innocence to perform malicious profile attacks, we get to\r\nthe conclusion that the days of mass exploitation of this attack vector are getting close. Therefore, we find it\r\nimportant to raise awareness to the threats and discuss possible mitigations.\r\nIn order to mitigate the risk of malicious profiles, you should strive to follow the next three thumb rules:\r\n1. You should only install profiles from trusted websites or applications.\r\n2. Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not\r\nhttp).\r\n3. Beware of non-verified mobileconfigs. While a verified profile isn’t necessarily a safe one, a non-verified\r\nshould certainly raise your suspicion.\r\nIf you identify a suspicious profile, we encourage you to send us the details of the profile and the origin you\r\ndownloaded it from to security@skycure.com. We will scan it and get back to you with our findings.\r\nHertzliya Conference\r\n+Adi Sharabani plans to present our findings at the Hertzliya conference cyber security track led by Yuval\r\nNe’eman’s Workshop later on today – if you happen to attend the conference, you are most welcome to join us for\r\na quick chat.\r\nSource: https://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/\r\nhttps://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" ], "report_names": [ "malicious-profiles-the-sleeping-giant-of-ios-security" ], "threat_actors": [], "ts_created_at": 1775433994, "ts_updated_at": 1775791216, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3bacaa86af9972cbb14fb4bcd27075db835acbd.pdf", "text": "https://archive.orkl.eu/e3bacaa86af9972cbb14fb4bcd27075db835acbd.txt", "img": "https://archive.orkl.eu/e3bacaa86af9972cbb14fb4bcd27075db835acbd.jpg" } }