1.
iOS Threats - Malicious Configuration Profiles
Threat, Detection & Mitigation
1

2.
A Little About Lacoon
2
Who We Are What We Do
§ Develop new mobile security
technologies that can detect and
prevent mobile threats
§ Partner with leading mobile
operators and technology
companies to provide
comprehensive mobile security
solutions
§ Founded by mobile security experts from
Military Intelligence and Telco Industries
§ Supported by a Security Research Team
focused on uncovering undiscovered
threats to mobile apps and platforms
§ Well-funded and backed by successful
security industry veterans

3.
3
iOS Configuration
Profiles can be
loaded on any iOS
device with relative
ease. Each
configuration profile
can include settings
for managing the
devices proxy,
VPN, and
certificates
Introduction – iOS Malicious Configuration Profile
Through social
engineering like
email phishing or
web link an attacker
can convince the
user to install a
malicious profile and
compromise the
device settings
The attack can
silently route
network traffic from
a device using the
profile to a remote
proxy over SSL
using a self-signed
certificate authority
that appears
valid to the end
user
Once the attacker re-
routed all traffic from
the mobile device to
an attacker-
controlled server, he
can further install
rogue apps, and
decrypt SSL
communications
1 2 3 4
1 2 3 4

4.
4
How iOS Attacks 'Get in"
Three Main Infection Vectors for iOS Attacks
Physical
Access
Social
Engineering
Rogue WiFi
HotSpots
• Malicious Profiles
• Fake Certificates
• Zero-Day Vulnerabilities
1 2 3

5.
5
Malicious Profiles example
LinkedIn Intro
1
User downloads app or
accepts new functionality
from one of their apps
that requires an update to
their device’s Profile.
Example: LinkedIn Intro’s
new Profile reroutes
all email to the
LinkedIn Servers.
Example:
LinkedIn Intro
LinkedIn is now
intercepting all emails
and modifying their
content (adding user
info).
This is known as a man-
in-the-middle (MitM)
attack!
More Info 2
1 2

6.
Holes in Existing Technologies
6
Capabilities needed to protect against
MALICIOUS PROFILES
Analyze Configuration
Profiles
Identify Suspicious
Traffic Patterns
Key:
Cannot Protect
Some Protection
Can Protect✓

7.
Certificate
Validation
Ability to check
validity of certificates
and accurately
identify the source of
the application
Lacoon MobileFortress - iOS Threat Coverage
Advanced Jailbreak
Detection
Ability to identify
when a device has
been jailbroken
using continuous
background service
Configuration Profile
Analysis
Ability to identify
changes to
configuration profiles
and understand
when those changes
make the device
vulnerable (e.g.
compromise secure
containers)
Malicious App
Detection
Ability to understand
communications from
the app, regardless of
how it was installed on
the device, to see
what it’s doing (e.g.
recognize traffic to and
from unknown servers)
Man-in-the-Middle
Attack Mitigation
Ability to trigger a
VPN to isolate user
when on a WiFi or
other unsecured
network

8.
8
Lacoon iOS App
checks for
modified network
settings every 10
min and sends
configuration info
to the Behavioral
Risk Engine
(BRE)
How Lacoon MobileFortress Works – iOS Malicious Configuration
Profiles
The BRE
analyzes the new
network
configuration and
determines if it
can compromised
the device
communication
The appropriate
Risk Score is
automatically
assigned to the
device and
triggers the active
protection layers
Active Protection
prevents data
exfiltration- by
notifying the user
on-the-device,
activating
network
protection and via
MDM/NAC
integration
Full visibility and
control over the
compromised
settings are
available on the
Lacoon
Dashboard.
Whitelisting
capabilities are
available for
known settings1 2 3 4 5
1 2 3
4
5
MobileFortress App Behavioral Risk Engine Risk Score
Active Protection
Dashboard

9.
Contact details
www.lacoon.com
sales@lacoon.com