Security firm Skycure illustrates possible hacking attacks through iOS’ use of Provisioning Profiles

Posted by:
Date: Tuesday, March 12th, 2013, 07:41
Category: iOS, iPhone, News, security, Software

In the words of assorted security analysts, Apple may be setting itself up for a malware fall thanks to its Provisioning Profiles.

Per The Next Web, while iOS users have been relatively safe from malware on their devices, researchers from security company Skycure say they’re concerned about a feature of iOS that could be used by malicious actors to read information, passwords and even encrypted data from devices without customers knowledge. They’ve detailed the new vulnerability in a presentation at the Herzliya Conference and a company blog post.

It’s worth noting at the beginning that Skycure’s product, still in development, is a mobile firewall with a cloud component designed to secure devices against attacks just like these. This isn’t all that unusual, though, as many security firms like Sophos and Intego produce research reports along with consulting and security products.

Provisioning Profiles (mobileconfigs) are small files installed with a single tap on iOS devices. They essentially function as instruction lists which can alter many settings, including network configurations and they’re used by thousands of companies around the world including app developers, corporations with IT departments and more.

Their use is officially approved by Apple and there is nothing innately malicious about any given profile. But, if put to the right uses, they do open up the ability to read usernames and passwords right off of a screen, transmit data that would normally be secure (over HTTPS) to a malicious server where it can be read and a lot more.

In a demonstration, Skycure’s CTO Yair Amit and CEO Adi Sharabani sent the author to a website where a link was offered. A provisioning profile was presented, installed and led to a screen that looked a lot like a phishing attempt, which requires an action on the part of a user in order to infect or grant access to a hacker.

After the profile was installed, Sharabani demonstrated that he could not only read exactly which websites the author had visited, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.

iOS has typically been far more secure than other platforms because of its heavy use of curation on the App Store, but also because it has been built from the ground up to use sandboxing. This means that apps are cordoned off, unable to reach outside of their data box or to affect any other apps that have not given them explicit permission to do so.

Provisioning Profiles step outside of that protection and can do things like route all of a victim’s traffic through a third-party server, install root certificates allowing for interception and decryption of secure HTTPS traffic and more.

Sharabani provides a couple of scenarios by which people could be convinced to install what seems like a harmless provisioning profile, only to be a victim of a traffic re-routing attack:

– Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.

– Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

The attacks, Sharabani stated, can be configured to use a VPN, APN proxy or a wireless proxy (WiFi), so just because you’re not on a WiFi network doesn’t mean that the profile can’t send your traffic to a third-party. This also means that (unlike a VPN, where there is an indicator in your status bar), you could also be affected by the hack without your knowledge. Of course, you would still have had to install a profile in the first place.

For the third attack scenario, Skycure came up with a list of cellular carriers that ask clients to install a special profile that configures their device to work with that network’s data servers. Of course, those sites could end up being compromised to deliver corrupted profiles, but it’s bound to be harder to do if it’s the carrier’s own servers doing the distribution.

As of now, no evidence has been found of a Provisioning Profile attack in the wild. And, to be extremely blunt once again, you are not at risk at all if you don’t install any profiles to your device, period. And if you have to, make sure that those profiles are from a trusted source and are verified. You should also only download and install profiles from ‘secure’ HTTPS links.

The disclosure of the issue, Sharabani says, is really about raising awareness, rather than starting a panic. While the attacks can be powerful and harmful, the Provisioning Profile attack, much like phishing, relies on user ignorance. Just as you wouldn’t type your password into a page provided as a random link, don’t install profiles from websites that you don’t know and avoid them completely if at all possible.

Because of the deep integration of Provisioning Profiles into the workflows of IT departments and other companies, it’s unlikely that they’ll be going away any time soon. So the best defense for now is knowledge and care.

Stay tuned for additional details as they become available.

Lawmakers drafting bipartisan bill that would allow for cell phone unlocking after contract terms have been met

Posted by:
Date: Tuesday, March 12th, 2013, 07:30
Category: iPhone, Legal, News

Well, maybe SOME aspects of the government sort of work.

Per AppleInsider, U.S. Senator Al Franken and members of the Senate Judiciary Committee have introduced bipartisan legislation that would allow users to legally unlock their smartphone once their contract subsidy has concluded.

The Democrat from Minnesota announced on Tuesday that the “Unlocking Consumer Choice and Wireless Competition Act” would restore an exemption to the Digital Millennium Copyright Act and allow users to unlock their cell phone once their contract expires.

Joining Franken were Judiciary Committee Chairman Sen. Patrick Leahy (D-Vt.), Judiciary Committee Ranking Member Sen. Chuck Grassley (R-Iowa), Sen. Orrin Hatch (R-Utah), and Sen. Mike Lee (R-Utah).

The senators defined the bill as a “narrow and common sense proposal” that they believe will promote competition and improve consumer choice.

The bill was prompted by a Library of Congress ruling made in late 2012 that determined cell phone unlocking would be removed as a legal exemption from the Digital Millennium Copyright Act. As of Jan. 26, 2013, unauthorized unlocking of all newly purchased phones became illegal. “This bipartisan legislation will quickly allow consumers to unlock their current phones instead of having to purchase a new one.” — Sen. Al Franken

“Right now, folks who decide to change cellphone carriers are frequently forced to buy a new phone or risk the possibility of criminal penalties, and that’s just not fair for consumers,” Franken said. “This bipartisan legislation will quickly allow consumers to unlock their current phones instead of having to purchase a new one. I support this commonsense solution to save consumers money.”

Last week, President Barack Obama’s administration also came out in support of legalizing the unlocking of cell phones and tablets. Their endorsement was given in response to a White House petition created by Sina Khanifar, which to date has received nearly 115,000 signatures.

Khanifar said he frequently travels from Europe to San Francisco, Calif. Those international trips have made cell phone locking not only a nuisance, but also a financial burden.

“Anyone who travels internationally, and most people do at some point, you won’t be able to take your cell phone with you,” he said. “Trying to use it with the existing roaming fees that carriers charge is almost impossible because they’re so exorbitant.”

The proposed Senate bill would alleviate those issues for consumers like Khanifar. A similar bipartisan bill is also expected to be introduced in the House of Representatives this week.

“It just makes sense that cell phone users should be able to do what they want with their phones after satisfying their initial service contract,” Hatch said. “This bill reinstates that ability, while also ensuring that copyrights are not violated.”

Stay tuned for additional details as they become available.

Early iPhone prototype photo gallery posted

Posted by:
Date: Monday, March 11th, 2013, 07:27
Category: Hardware, iPhone, Pictures

It may not be an exclusive picture of the next-gen iPhone, but it’s interesting to know where the iOS devices you love come from.

Per Ars Technica, a photo gallery has been released of a prototype of the original 2007 iPhone, complete with a 5″x7″ display and a variety of tacked-on ports that were used in testing.


iphoneprototype2

It’s sort of a Frankenstein mish mash of ports and parts, but it became the device that’s most likely sitting in your pocket right now.

And honestly pretty cool stuff to boot.

AT&T cites support for unlocking handsets provided conditions are met

Posted by:
Date: Friday, March 8th, 2013, 13:17
Category: iPhone, News

attlogo

This might make things easier.

Per TechHive and AT&T’s company blog, in the wake of efforts being made by consumers, politicians and the the top librarian at the Library of Congress to permit unlocking your own mobile phone is a violation of the Digital Millennium Copyright Act (DMCA), AT&T has gone on the record to state that the company won’t impede these efforts and will assist where possible.

“I want to be completely clear that AT&T’s policy is to unlock our customers’ devices if they’ve met the terms of their service agreements and we have the unlock code,” vice president Joan Marsh wrote in a company blog posted Friday entitled “Bottom Line: We Unlock Our Customers’ Devices.”

“It’s a straightforward policy, and we aim to make the unlocking process as easy as possible,” she added.

Marsh explained that the company will unlock a customer’s phone as long as the carrier can obtain the unlock code for the device and the phone’s owner has had an active account with AT&T for at least 60 days, the account is in good standing, and there’s no unpaid balance on it.

“If the conditions are met, we will unlock up to five devices per account per year,” Marsh wrote.

AT&T will not unlock devices that have been reported stolen, though.

The carrier’s unlock policy is consistent with the one aired by the White House in a response to an electronic petition criticizing last year’s ruling that phone unlocking was illegal. That petition garnered more than 100,000 signatures.

“The White House agrees with the 114,000+ of you who believe that consumers should be able to unlock their cell phones without risking criminal or other penalties,” wrote R. David Edelmen, White House senior advisor for Internet, innovation and privacy, wrote in the Obama administration’s official response to the petition.

“[I]f you have paid for your mobile device, and aren’t bound by a service agreement or other obligation, you should be able to use it on another network,” he added.

“It’s common sense,” he continued, “crucial for protecting consumer choice, and important for ensuring we continue to have the vibrant, competitive wireless market that delivers innovative products and solid service to meet consumers’ needs.”

Stay tuned for additional details as they become available.

Lawmakers looking to draft legislation to legalize cellphone unlocking

Posted by:
Date: Thursday, March 7th, 2013, 06:13
Category: iPhone, Legal, News

This could lead to something interesting.

Per 9to5Mac, following a statement from the White House on Monday confirming it would support “narrow legislative fixes” to make unlocking cellphones legal again, several lawmakers have announced plans to introduce legislation. According to a report from The Hill, Senate Judiciary Committee Chairman Patrick Leahy and Chair of the Judiciary Committee’s Subcommittee on Antitrust, Competition Policy, and Consumer Rights Senator Amy Klobuchar have confirmed they will introduce bills in support of the legalization of cellphone unlocking:

“I intend to work in a bipartisan, bicameral fashion to restore users’ ability to unlock their phones and provide them with the choice and freedom that we have all come to expect in the digital era,” Leahy said in a statement.

The Judiciary Committee, which handles copyright issues, would likely have jurisdiction over any bill to legalize cellphone unlocking.

Sen. Amy Klobuchar (D-Minn.), who chairs the Judiciary Committee’s Subcommittee on Antitrust, Competition Policy and Consumer Rights, said she plans to introduce her own bill this week.

During a recent panel discussion on Capitol Hill, other lawmakers voiced their support for the legislation, including Representatives Darrell Issa and Jared Polis, while The Hill reported the Federal Communication Commissions’ Jessica Rosenworcel “encouraged Congress to re-examine the Digital Millennium Copyright Act.”

The decision was made by the Library of Congress in October to make unlocking cellphones illegal, and that policy officially took effect in January. Following the White House’s statement in response to a petition with over 110,000 signatures, the Library of Congress issued a statement and agreed that “the question of locked cell phones has implications for telecommunications policy and that it would benefit from review and resolution in that context.”

Stay tuned for additional details as they become available.

Local carrier Strata Networks to carry iPhone 5, provide additional coverage for Idaho, Utah, Colorado areas

Posted by:
Date: Wednesday, March 6th, 2013, 08:59
Category: iPhone, News, retail

If you were looking for iPhone 5 handsets and local carrier-based goodness in Colorado, Idaho or Utah, you’re in luck.

Per 9to5Mac, Utah-based Strata Networks recently started advertising that the device is “coming soon” to its network. In November, Strata officially rolled out its LTE network, the first in the Uintah Basin covering several counties in Utah, and the carrier also has local coverage in Idaho, Utah, and Colorado. A map of the carrier’s LTE coverage in Utah is below, while a full map of nationwide coverage can be found here.

Many other regional carriers have been known to offer the device at a discounted price compared to Apple and the major carriers with the iPhone 5 starting at US$149 on a two-year contract through many.

Stay tuned for additional details as they become available.

Rumor: Next-gen iPads could arrive in April, iPhone 5S to hit in August

Posted by:
Date: Tuesday, March 5th, 2013, 07:03
Category: Hardware, iPad, iPhone, Rumor

The rumor mill continues, but this time it offers a name for the next-gen iPhone as well as potential release dates.

Per iMore, Apple is planning the release of the iPhone 5S for this summer, currently for August. Next generation iPads, presumably the iPad 5 and potentially the iPad mini 2, may also debut as soon as this April.

Sources familiar with the plans have stated that the iPhone 5S does indeed have the same basic design as the iPhone 5, with a more advanced processor and an improved camera. With the iPhone 5, Apple reduced the thinness of the casing but managed to keep essentially the same, if not slightly better, overall quality. With the iPhone 5S, the aim is to once again raise the bar in terms of iPhone optics, including a much better camera in essentially the same casing.

Sources have pointed towards an April-ish launch for the next-generation iPads, albeit this has yet to be confirmed. iPad 5 casings have already begun to leak, although it’s unknown as to whether the iPad mini will receive a Retina display.

Stay tuned for additional details as they become available.

White House backs petition for unlocking of phones after contract expires

Posted by:
Date: Monday, March 4th, 2013, 14:05
Category: iPhone, Legal, News

If you were looking for a bit of positive news today, this might be it.

Per Engadget, a recent ruling that effectively bans third-party phone unlocking has elicited 114,322 electronic signatures to the White House. Now a petition to the White House, which asks that DMCA protection of phone unlockers be reconsidered, has finally received an official response. R. David Edelman, Senior Advisor for Internet, Innovation and Privacy, had this to say:

“The White House agrees with the 114,000+ of you who believe that consumers should be able to unlock their cell phones without risking criminal or other penalties,” Edelman writes. All told, the response matches that of the National Telecommunications and Information Administration (NTIA), which wrote a letter to the Librarian of Congress in support of extending the exemption last year.

Edelman went on to state: “The Obama Administration would support a range of approaches to addressing this issue, including narrow legislative fixes in the telecommunications space that make it clear: neither criminal law nor technological locks should prevent consumers from switching carriers when they are no longer bound by a service agreement or other obligation.” We’re not going to see immediate change, but it appears that a chain of events is now in motion in which the FCC and Congress potentially play a huge role.

Stay tuned for additional details as they become available.

Adobe releases Photoshop Touch app for iPhone, iPod touch devices

Posted by:
Date: Thursday, February 28th, 2013, 07:29
Category: iOS, iPhone, iPod Touch, News, Software

photoshop_touch_icon

The app you’ve been hankering for has arrived.

Per AppleInsider, Adobe on Wednesday officially released the latest iteration of its mobile Photoshop software, Photoshop Touch for Phone, bringing powerful image editing to the iPhone and iPod touch.

The app, which boasts features users of the desktop version have become accustomed to, including layers, adjustment tools and filters as well as the following bells and whistles:

– Improve your photos using classic Photoshop features to bring out the best in your photography. Apply precise tone and color adjustments to your entire composition, a particular layer, or a select area.

– Create something other-worldly using painting effects, filter brushes, and so much more. With Photoshop Touch, the creative possibilities are endless.

– Make your images pop with graphical text. Apply strokes, add drop shadows and fades, and more.

– Take advantage of your device’s camera to fill an area on a layer with the unique Camera Fill feature.

– Quickly combine images together. Select part of an image to extract just by scribbling with the Scribble Selection tool. With the Refine Edge feature, use your fingertip to easily capture hard-to-select image elements, like hair.

– Work on high-resolution images while maintaining the highest image quality. Images up to 12 megapixels are supported.

Buyers will also get access to Adobe Creative Cloud, which allows users to sync projects and switch between Photoshop mobile and desktop versions. The membership includes 2GB of Creative Cloud storage

Along with the image editing feature set and Creative Cloud integration, users can easily share their work with friends through via Facebook and Twitter, as well as the usual “save to camera roll” iOS compatibility.

The iOS version of the app weighs in at 32.2MB and requires iOS 6 running on an iPhone 5, iPhone 4S or fifth-generation iPod touch. Adobe Photoshop Touch for Phone is available now in the App Store for US$4.99.

If you’ve tried the app and have any feedback to offer, please let us know in the comments.

Apple releases iOS 6.1.2 update

Posted by:
Date: Tuesday, February 19th, 2013, 12:42
Category: iOS, iPad, iPad mini, iPhone, iPhone 3GS, iPod Touch, News, security, Software

Never doubt the speed of a fix in the wake of bad PR…

On Tuesday, Apple released iOS 6.1.2, a 107 megabyte download offering the following fixes for its supported iOS devices:

– Fixes an Exchange calendar bug that could result in increased network activity and reduced battery life.

iOS 6.1.2 is available via iTunes or Over-The-Air updating and requires an iPhone 3GS, 4, 4S, 5, iPad 2, third or fourth-gen iPad, iPod Touch 4th Gen or iPad Mini to install and run.