Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/31/2016
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Apple’s Workflow For Enterprise iOS App Distribution Vulnerable To Attack

Millions of iPhones and iPads running iOS 9 can be exploited if enrolled in mobile device management, Check Point Software says.

Security vendor Check Point Software Technologies has sounded the alarm on an apparent weakness in Apple’s application distribution workflow for enterprises that it says gives attackers an opening to install malware on iPhones and iPads used by enterprise users.

The SideStepper flaw affects iOS 9 devices enrolled with an enterprise Mobile Device Management (MDM) system and can be exploited to take complete control of vulnerable devices, Check Point warned. Potentially millions of iOS 9 devices enrolled in enterprise MDM systems are vulnerable to attack.

In a white paper, Check Point researchers Avi Bashan and Ohad Bobrov described the flaw as enabling adversaries to execute a man-in-the middle (MITM) attack for intercepting communications between a managed iOS device and the MDM server. Such an attack would allow threat actors to install malware of their choice on a vulnerable device and take full control of it without the user’s knowledge.

But in order to pull it off, an attacker first must compromise the user’s device.

The SideStepper vulnerability exists in the process that Apple offers to enterprises for installing internally developed iOS applications on iPhones and iPads.

Typically, users who want to download an iOS app can only get it through Apple’s official App Store, unless of course they have jailbroken their device. All apps in the App Store go through a thorough security review and vetting process and are digitally signed by Apple before they are available for download. Usually, only Apple-signed applications can run on non-jailbroken iOS devices.

Apple offers an Apple Developer Enterprise program for organizations that want to develop and install their own iOS apps without having to go through the company’s usual vetting process. For such organizations, Apple offers a signed enterprise certificate that can be used to sign internally developed iOS apps so they can be installed on enterprise iPhones and iPads.

Such enterprise certificates have been frequently abused in the past to distribute malicious and pirated applications. As Bashan and Bobrov note in the white paper, third-party app stores have in the past registered themselves as legitimate enterprises with Apple in order to obtain signed enterprise certificates from the company, which they have then used to distribute third-party apps.

In 2015, the issue gained considerable attention when the Hacking Team took advantage of an Apple enterprise certificate it owned and a previously discovered flaw dubbed Masque Attack to distribute a malicious app to devices running iOS versions 8.1.3 and earlier.

In order to address the shortcomings, Apple introduced some tighter security measures for enterprise app installation with the release of iOS 9, the two security researchers said. Enterprise users for instance have to go through a “maze of settings screens” to confirm the app’s developer when they want to install an enterprise iOS app on their devices for the first time, they said.

“Apple did leave a loophole, however,” according to Bashan and Bobrov. “iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses.”

So by intercepting communications between a managed iOS device and the MDM server, an attacker could install malware over-the-air on devices running iOS 9. In order to exploit the SideStepping weakness using an MITM attack, however, an attacker would first need to find a way to compromise a user system and get it to route traffic to a malicious server. Such a compromise can be accomplished via a phishing attack, Check Point said.

“The vulnerability is actually in the way Apple implemented this fix for making enterprise apps more difficult to install,” says Avi Rembaum, vice president of security solutions at Check Point. The changes that Apple made in the app distribution workflow with iOS 9 adds several steps intended to make it clear to the user that he or she is doing something that’s not typical behavior for an average user, he says.

“[But], it doesn’t address over-the-air installation of malicious enterprise apps should an attacker stage a MITM attack on a device’s communication with an MDM," he says.

Attacks of this type theoretically could be exploited on a mass scale, Rembaum says. “But it’s more likely that it’d be used to target a specific individual, or groups of individuals.”

Check Point says it informed Apple of the problem in October 2015.  “Apple responded in November 2015 that the behavior the research team demonstrated ‘is expected,'” Check Point said.

Related Stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...