New Security Flaw Could Block Email, Safari, Other Apps

A new security flaw has been uncovered in the iPhone’s software that could have potentially serious ramifications. The issue lies in the ability to download system configuration files over-the-air through Mobile Safari, which enterprise businesses use to install configuration files to make setup possible. A group of anonymous hackers have figured out a way to make the configuration file register as being “Verified” on the device, and even have it show up as being sent from Apple Inc, allowing them to trick someone into install a malicious system config file without knowing it.

With this ability, someone could simply create an official-looking web interface for people to navigate to on their iPhones and advertise it on some social networks, and they’d be able to trick large numbers of people into installing the file. Such a page would be indistinguishable from the real thing, as the one below:

Such a file could potentially be used to reconfigure the device’s proxy settings to disable Safari, Mail, and a few other third-party apps. Worse yet, it could even have the ability to make itself impossible to be removed by the user, requiring the device to be completely wiped to remove it.

What can you do to protect against it? If you see a screen like the one above, don’t click on the “Install” button. The result could be disastrous. Otherwise, you should be alright.

[via ThreatPost]


View the comments on the forum…