Mobile Threat Catalogue

Malicious Configuration Profiles

Contribute

Threat Category: Mobile Operating System

ID: STA-7

Threat Description: Malicious configuration profiles may contain unwanted CA certificates or VPN settings to route the device’s network traffic through an adversary’s system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system.1

Threat Origin

Malicious Profiles - The Sleeping Giant of iOS Security 2

Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices 3

Symantec Internet Security Threat Report 2016 4

Exploit Examples

Threat Advisory Semi Jailbreak 5

YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs 6

iOS SideStepper Vulnerability Undermines MDM Services: Check Point 7

Apple iPhone, iPad iOS 9 security flaw lets malicious apps sneak onto enterprise devices 8

CVE Examples

Not Applicable

Possible Countermeasures

Enterprise

To prevent attackers from creating counterfeit management profiles by signing them with stolen enterprise certificates, ensure strong security measures are used to protect both enterprise access to trusted certificate services (e.g., VeriSign) and any obtained certficates (e.g. MDM server certificates, Apple Push Notification Services certificates).

To prevent a device from accepting a malicious management profile after enrollment, use EMM/MDM solutions in combination with devices that properly verify the integrity and authenticity of device management profiles prior to their application, such as by using digitally-signed profiles.

To prevent users from accepting prompts to install malicious management profiles, educate users about the risks associated with installing an untrusted profile and ensure that enrollment processes allow users to know when management profiles are legitimate (e.g., in-person enrollment, or secure out-of-band deployment methods such as digitally-signed or encrypted e-mails.

To prevent users from installing malicious digital certificates, which can be used to greatly facilitate this form of attack, educate users about the risks associated with installing digital certifications, and ensure that installation processes allow users to know when digital certificates are legitimate (e.g., in-person enrollment, or secure out-of-band deployment methods such as digitally-signed or encrypted e-mails).

References

  1. MITRE, Install Insecure or Malicious Configuration, blog; https://attack.mitre.org/techniques/T1478 [accessed 12/02/2019] 

  2. Y. Amit, “Malicious Profiles - The Sleeping Giant of iOS Security”, Skycure Blog, 12 Mar. 2013; https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/ [accessed 8/23/2016] 

  3. L. Neely, Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices, SANS Institute, 2016; www.sans.org/reading-room/whitepapers/analyst/mobile-threat-protection-holistic-approach-securing-mobile-data-devices-36715 [accessed 8/25/2016] 

  4. Internet Security Threat Report vol. 21, Symantec, 2016; https://docs.broadcom.com/doc/istr-16-april-volume-21-en [accessed 8/1/2022] 

  5. Threat Advisory Semi Jailbreak; https://www.wandera.com/resources/dl/TA_SemiJailbreak.pdf [accessed 8/23/16] 

  6. C. Xiao, “YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs,” blog, 25 Oct. 2015; http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ 

  7. T. Claburn, “iOS SideStepper Vulnerability Undermines MDM Services: Check Point,” InformationWeek ,31 Mar. 2016; www.informationweek.com/mobile/mobile-devices/ios-sidestepper-vulnerability-undermines-mdm-services-check-point/d/d-id/1324920 

  8. L. Tung, “Apple iPhone, iPad iOS 9 security flaw lets malicious apps sneak onto enterprise devices,” ZDNet, 1 Apr. 2016; www.zdnet.com/article/apple-iphone-ipad-ios-9-security-flaw-lets-malicious-apps-sneak-onto-enterprise-devices/