Apple's iOS operating system has "two critical weak points for which no patch exists," the Federal Office for Information Security said.
Opening a manipulated website or a PDF file could allow criminals to spy on passwords, planners, photos, text messages, e-mails and even listen in to phone conversations, the agency said in a statement.
"This allows potential attackers access to the complete system, including administrator rights," it added, urging users not to open PDF files on their mobile devices and only use trustworthy websites until Apple Inc. publishes a software update.
A spokesman for Apple in Germany, Georg Albrecht, told The Associated Press that the company is looking into the matter.
"We know these reports and are investigating them," he said, refusing to elaborate.
Although no attacks have been observed yet they were likely to appear soon, the German agency said.
"It has to be expected that hackers will soon use the weak spots for attacks," it said, noting that the devices' popularity could lead to attacks within the corporate world — possibly facilitating industrial espionage.
The security loophole became obvious after reports about a successful hacking of Apple's iOS operating system emerged on Monday, a spokeswoman for the agency, Katrin Alberts, said.
"Since then, information used in this hack is publicly available and can be used to infect an iOS device simply by opening a specially crafted PDF file," she told the AP.
The application targeted in such an attack, Alberts noted, is not Adobe Systems Inc.'s Acrobat reader which allows users to view PDF files, but Apple's internal application for opening those files on its iOS devices.
"We decided to communicate this proactively because a potential attacker may gain access to the entire device," Alberts said.
The federal agency, based in Bonn, said it was in contact with Apple on the issue. The warning relates to iPhones using iOS versions 3.1.2-4.0.1., iPads using iOS 3.2-3.2.1 and iPods Touch using iOS 3.1.2.-4.0.
The agency said it was possible but not clear whether older iOS or iPhone OS versions could also be affected.
With their mobile devices, users should not only stay clear of PDF files they get by e-mail, but also of those found via search engines, as they could be infected, Alberts said.
In the worst case, attackers could get hold of passwords, banking and other personal data. A user's contacts could also be used for sending spam e-mails, she said.