Security practitioners who've counted on the protection of Apple App Store's walled garden approach now have something new to worry about: rogue app marketplaces are now using stolen enterprise certificates to allow users with even non-jailbroken iPhones and iPads to download applications through unapproved channels.
Researchers from Proofpoint have dubbed the process used by these types of rogue app stores as "DarkSideLoaders." In their research, they pointed to one marketplace in particular, vShare, as an example of those using DarkSideLoader methods. Advertising one million apps available for iPhones and iPads, including pirated paid apps available for free, vShare in past years has catered to Android and jailbroken iOS devices. However, the game has now changed for this marketplace as it has figured out how to "sideload" applications, or circumvent the Apple App Store or legitimate app stores, into non-jailbroken iOS devices.
Rogue app stores are doing this by signing their apps with Enterprise App distribution certificates issued by Apple.
"These certificates are normally issued to enterprises that want to operate their own internal app stores for employees," the researchers wrote. "A rogue app marketplace using the DarkSideLoader technique has implemented a large scale app re-signing capability. Legitimate games and other apps are decrypted, modified, and re-signed with an enterprise certificate for download by users of the rogue app marketplace."
This capability puts enterprises at risk when their employees start loading applications from these unauthorized app stores.
"These apps can make use of private iOS APIs to access operating system functions that would not be permitted by apps that have been vetted by Apple for publishing on the official app store," Proofpoint researchers said.
The biggest risk to enterprises, of course, is that these unauthorized apps are used as vehicles to carry known or zero-day vulnerabilities that will allow the app maker to compromise the device. Security experts have long warned about the dangers of jailbreaking devices in order to sideload devices due to the high prevalence of malicious mobile devices lurking in these types of marketplaces. Attackers load attractive applications--such as pirated popular games or productivity applications--with remote access trojans (RATs) that can be used to infiltrate corporate networks when infected devices connect to them.
"The vShare marketplace is noteworthy in that it is accessible to iOS devices connecting from anywhere in the world, representing a global expansion of this attack technique," wrote the researchers. "This technique also makes it possible to load onto the iOS devices configuration profiles that would allow an attacker to configure VPN settings to redirect network traffic to their man-in-the-middle nodes, as well as change various OS settings."