Apple Cracks Down on Websites Sharing iOS 16 Developer Beta

[theotherphil]

Except the profile is still signed by apple so if it was tampered with (to load something else) it wouldn't work since it's not signed by apple. Again this is nothing more than apple wanting to pad their bottom line with the $99 developer fees.

Great work completely ignoring the act of piracy in offering somebody else’s IP without permission.

Here’s the thing….how do you know the profile you are getting is going to load iOS beta? There is NO WAY you can know before hand. Users are installing it, hoping it does what an unknown website says it does.

Why Configuration Profiles Can Be As Dangerous As Malware on iPhones and iPads

Apple's iOS is nowhere near as vulnerable to malware as Windows is, but it's not completely impervious.

www.howtogeek.com

Fake iOS 13 jailbreak sites popping up, beware of the scams & potential adverse after effects - PiunikaWeb

Many fake iOS 13 jailbreaking sites are popping up on the web. Instead of doing what they should, they install malicious scripts into the devices.

piunikaweb.com

Malicious profiles – one of the most serious threats to mobile devices

Learn more about how attackers install malicious configuration profiles that bypass intended security restrictions.

www.jamf.com

 

[kc9hzn]

Great work completely ignoring the act of piracy in offering somebody else’s IP without permission.

Here’s the thing….how do you know the profile you are getting is going to load iOS beta? There is NO WAY you can know before hand. Users are installing it, hoping it does what an unknown website says it does.

Why Configuration Profiles Can Be As Dangerous As Malware on iPhones and iPads

Apple's iOS is nowhere near as vulnerable to malware as Windows is, but it's not completely impervious.

www.howtogeek.com

Fake iOS 13 jailbreak sites popping up, beware of the scams & potential adverse after effects - PiunikaWeb

Many fake iOS 13 jailbreaking sites are popping up on the web. Instead of doing what they should, they install malicious scripts into the devices.

piunikaweb.com

Malicious profiles – one of the most serious threats to mobile devices

Learn more about how attackers install malicious configuration profiles that bypass intended security restrictions.

www.jamf.com

I mean, the profiles do seem to have been signed by Apple (making it more likely that they are just the beta profile, unless there’s some new major cryptographic bug), yes, but malicious profiles are definitely a thing, and we shouldn’t be training users to install profiles from random websites. I wouldn’t be at all surprised if there are profiles floating around that offer game console emulation apps for iOS but also surreptitiously install a man-in-the-middle profile.

 

[crawfish963]

I actually covered that in a different post. If you don’t 100% trust the site hosting the profile, then you can’t trust the hash they give you (assuming they give you one). If you know the hash of the official profile, that’s one thing. But, if you have the hash of the official profile, you’ve probably got access to said profile and don’t need to access it through one of these sites. (And I suppose hash collisions could be a thing, depending on whether they’re using an insecure hash algorithm, but that’s a pretty far fetched concern.) And in general, I acknowledge or at least implied I was taking something of a paranoid stance.

But, of course, when it comes to security, we need the people who are paranoid about it as well as the people who think “how would an attacker attack this system?” Without them, we’d be without security, I suppose.

That would be what I mean. You compare the original hash to the provided profile hash.

 

[Krysti]

If you do I’ll be reporting all to apple it’s against there NDA so every site I find doing it will be shut down ones that are giving free dev profiles

 

[Krysti]

Not true. There is a group called Appleseed that has access to them without paying $99.

If you can’t afford the beta dev the. Do the free like eniz is saying

 

[MagicHAM]

Lol really? I think Apple have bigger fish to fry Kristi.

 

[bigjnyc]

So many white knights for a trillion dollar company lol. Anyway I’m loving my free dev beta profile running great on 13 pro max!

Well who else is going to defend poor little Apple? It's not like they have a huge team of lawyers or anything like that.

 

[kc9hzn]

That would be what I mean. You compare the original hash to the provided profile hash.

But you’d have to get the hash from Apple in some way, not from the website hosting the file. It’s the in-channel authentication issue. It’s highly difficult to authenticate identity using in-channel communication (eg to confirm an email is 100% safe via email), but it’s so much easier to authenticate out-of-channel (calling the same company from the customer service number on their official website or entering the website’s canonical URL through your browser and logging in). The email might be a phish, so you don’t click the link but actually log into the site. If you don’t 100% trust the site to be safe, you can’t 100% trust the hash value given by the site. You’d have to somehow get the hash of the original file (in this case a beta profile from Apple). Sure, the two hashes might just match, but, if there’s any doubt, you need a second channel of communication. It’s just borderline impossible to confirm identity in-channel.

 

[nicolas17]

I have one simple question. How does Betaprofiles.com make money?

Why do you think it needs to? I'm sure it's quite cheap to host.

 

[DSM2.Hackintosh]

They change them for major versions so it’s only going to work for the 16.x beta train. But as others have said there will always be a way around it

It was always possible even without beta profiles… just some terminal commands and you are Dev without paying 99$

Another way Curl… and there are even more!