Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Playing with iPhone profiles

It’s not often that I talk about a GOOD feature of the iPhone. Don’t get me wrong, I love my iPhone and it’s really changed the way I work and communicate, however Apple really only want you to use the device they want, not how you want. Still, I’ve recently been fighting with a few issues while traveling. The largest of these is the need to constantly change my APN settings whenever I fly somewhere. I usually travel with a small collection of pay as you go sim cards so that I can just touchdown, plug in the sim and charge enough credit to cover a few days, weeks of data transfer. You’d be surprised at the prices you can find even on pay as you go nowadays. Anyway, this is all well and good, but wouldn’t it be nice if the APN settings (APN name, username and password) was automatically detected. Some sim cards do this, however most don’t (my O² sim card even fills it in with incorrect info). Today I finally had a chance to look at the iPhone configuration tool offered by Apple.

The iPhone configuration tool gives you a range of options to configure a single or multiple iPhones. It also offers the chance to do some security related configurations that you can’t achieve directly on the iPhone itself. The 2 things I was particularly  interested in where the Passcode and APN (advanced) settings.

Wether you’re using this in a corporate of home environment, the configuration tool can help improve the security of your iPhone, as well as making it easier to turn settings on/of as required.

Passcode

By default the iPhone allows for a 4 character passcode to lock down your phone. This is great, but I’ve lost count the amount of times I’ve seen people type in their passwords. It’s not hard to remember a 4 digit passcode, and as iPhone doesn’t randomize the layout of the numbers on the screen, it’s easy enough to figure out the password even without seeing which numbers are selected. Luckily the iPhone configuration tool gives you the chance to correct this.

Through the configuration tool you can set the advanced settings not possible to do directly on the iPhone itself. These settings include the complexity (including the number of non-alphanumeric characters required), minimum length, maximum password age, password history and failed attempts.

Alongside these typical settings you can also set the auto-lock and grace period times. Most importantly, from my perspective, you can enable the device erase function (this can also be enabled on the device directly).

When it comes to mobile devices, password enforcement is becoming more and more important. With the limited keyboard functionality and repetition of password entry (how many times a day do you type in your iPhone passcode ?) it’s important to make sure users (whether enterprise or home) don’t simplify the passcode too much. It’s very convenient to use 9999 as your passcode, but it’s not hard to shoulder-surf.

The above images show the default 4 character PIN style password, and the more extensive passcode options you can enable through iPhone configuration tool. The more security conscious may have noticed there are 3 images and not just 2. If you allow users to set digit only passcodes (i.e. an 8 character passcode like 12345678) then your users will be prompted ONLY to enter numeric values. If the user sets a more complex alphanumeric password, then they will be given a full keyboard for entry. This isn’t a BIG security issue, but it does tell you what kind of passcode they’ve selected without you needing to know the passcode itself. Still, it’s better than a 4 digit passcode 😉

APN (advanced)

The second feature that interest me is the advanced page, which allows you to set the APN and Proxy information. For me this is really handy. I can go into the configuration tool and create a profile for each APN setting combination that I need. When going between countries I can simply pull up the .mobileconfig file from my email (make sure you’ve got it cached) and apply it to the iPhone.

The advanced settings page also allows you to set a proxy for your communications. I’ve not had a chance to play with this setting yet to see what kind of security enhancement can be gained from this. In theory it would be nice to force ALL communications over an SSL secured proxy. This could then connect back to a trusted system to give you an extra layer of protection between your phone and home base. When travelling to a possibly dangerous environment (I’m thinking China, Russia, Ukraine, etc…) it would be nice to feel just a little bit more secure.

The good thing about profiles is that you can add and remove them at will. You can also have more than 1 profile active on the iPhone at once (as you can see I’ve got 4 currently). This allows you to add and remove them whenever you need to. It also means you can have a profile that applies your security settings and separate ones that apply just the APN info (as it’s likely to change more often than you security configuration). I’ve not had a chance yet to look at what happens when you set multiple profiles to contain settings that clash. I get the feeling that the LAST profile applied will override the earlier ones, but at the moment that’s just speculation on my part.

.mobileconfig

The files you export from the iPhone configuration tool are simple XML files. So if you find yourself out and about without the tool, you can still open the file up in a text editor and change the settings as required. If you do a Google search for “mobileconfig iphone” you’ll find a number of sites discussing the format. You can also checkout the enterprise deployment documentation HERE for more hints. You can also download the configuration tool from the same location (Windows / OSX only).

Edit: After posting I did a little followup on the contents of the .mobileconfig file. When looking at the files created to implement specific APN settings, I noticed the following string s in the XML :

 <key>apns</key>
 <array>
   <dict>
     <key>apn</key>
     <string>payandgo.o2.co.uk</string>
     <key>password</key>
     <data>
     cGFzc3dvcmQ=
     </data>
     <key>username</key>
     <string>vertigo</string>
  </dict>
</array>

I can almost see people holding their heads in their hands. Yes, the password is stored Base64 encoded. I can understand why Apple have done this (to avoid issues with special characters corrupting the XML). However Base64 isn’t encryption. Luckily the APN settings are usually publicly available. However the .mobileconfig file can also contain data such as WPA keys, mail account passwords, and even LDAP and Exchange server settings. Surely these are protected in the XML by default right ?

<key>LDAPAccountDescription</key>
 <string>LDAP Account</string>
 <key>LDAPAccountHostName</key>
 <string>server</string>
 <key>LDAPAccountPassword</key>
 <string>SecretLDAPpassword</string>
 <key>LDAPAccountUseSSL</key>
 <true/>

That’s what we like to see. Clear text passwords… However it’s not all bad, there is a solution, even if it’s not the default. When exporting the .mobileconfig file from the iPhone configuration tool, you can select to sign and encrypt the file. The downside of this, is that you need to tie the .mobileconfig to an iPhone that has been registered in the iPhone configuration tool. This may not always be convenient, especially when your CFO is shouting that his wireless settings are wrong as he’s waiting for the 9th hole at the local golf club. Still, at least Apple have thought about the security risks. When creating a single profile for your entire corporation however, you’ll either need to register each iPhone in the configuration tool before exporting the file, or use the less secure, unencrypted, option.

So, if you’re a corporate using this feature for your CEO’s iPhone, remember to store the .mobileconfig in a safe place and use the sign and encrypt option (not the default, at least in my testing). If you’re a penetration tester, add this filetype to your list of files to look for next time you exploit a users system. You never know what you might find. If you want to know how bad it really is, try the following Googledork “filetype:mobileconfig”.

Advertisements

5 responses to “Playing with iPhone profiles

  1. Tomasz Miklas December 4, 2009 at 14:08

    When creating policy you can also set it in a way, that turning it off will wipe all data 🙂

  2. ChrisJohnRiley December 4, 2009 at 14:20

    Thanks for the hint. For my purposes, I want to be able to change the settings on the fly no matter where in the world I am, but it’s good to know.

  3. Pingback: Do Cell Phones Get Viruses? « Aggressive Virus Defense

  4. Wouter March 28, 2010 at 17:13

    Hi, a Question on the report. I need to be able to connect to a different APN than the normal “internet” one. In order to do so, i need to provide a secure password to authenticate against a corporate radius server, but the iPhone does not seem to have that functionality. Any ideas on how to do this, or any 3rd party apps out there that will allow a secure password to be sent instead of a password in “clear Text”

  5. ChrisJohnRiley March 28, 2010 at 19:45

    Sorry, I’m not aware of any way to encrypt the APN settings at logon from the phone side. Perhaps there’s a way to force the phone to send encrypted from the remote end (some kind of “demand encryption” option). I’m afraid this isn’t something I’ve looked at personally, so I’m not sure I can be of much assistance.

%d bloggers like this: