Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/31/2016
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Apple’s Workflow For Enterprise iOS App Distribution Vulnerable To Attack

Millions of iPhones and iPads running iOS 9 can be exploited if enrolled in mobile device management, Check Point Software says.

Security vendor Check Point Software Technologies has sounded the alarm on an apparent weakness in Apple’s application distribution workflow for enterprises that it says gives attackers an opening to install malware on iPhones and iPads used by enterprise users.

The SideStepper flaw affects iOS 9 devices enrolled with an enterprise Mobile Device Management (MDM) system and can be exploited to take complete control of vulnerable devices, Check Point warned. Potentially millions of iOS 9 devices enrolled in enterprise MDM systems are vulnerable to attack.

In a white paper, Check Point researchers Avi Bashan and Ohad Bobrov described the flaw as enabling adversaries to execute a man-in-the middle (MITM) attack for intercepting communications between a managed iOS device and the MDM server. Such an attack would allow threat actors to install malware of their choice on a vulnerable device and take full control of it without the user’s knowledge.

But in order to pull it off, an attacker first must compromise the user’s device.

The SideStepper vulnerability exists in the process that Apple offers to enterprises for installing internally developed iOS applications on iPhones and iPads.

Typically, users who want to download an iOS app can only get it through Apple’s official App Store, unless of course they have jailbroken their device. All apps in the App Store go through a thorough security review and vetting process and are digitally signed by Apple before they are available for download. Usually, only Apple-signed applications can run on non-jailbroken iOS devices.

Apple offers an Apple Developer Enterprise program for organizations that want to develop and install their own iOS apps without having to go through the company’s usual vetting process. For such organizations, Apple offers a signed enterprise certificate that can be used to sign internally developed iOS apps so they can be installed on enterprise iPhones and iPads.

Such enterprise certificates have been frequently abused in the past to distribute malicious and pirated applications. As Bashan and Bobrov note in the white paper, third-party app stores have in the past registered themselves as legitimate enterprises with Apple in order to obtain signed enterprise certificates from the company, which they have then used to distribute third-party apps.

In 2015, the issue gained considerable attention when the Hacking Team took advantage of an Apple enterprise certificate it owned and a previously discovered flaw dubbed Masque Attack to distribute a malicious app to devices running iOS versions 8.1.3 and earlier.

In order to address the shortcomings, Apple introduced some tighter security measures for enterprise app installation with the release of iOS 9, the two security researchers said. Enterprise users for instance have to go through a “maze of settings screens” to confirm the app’s developer when they want to install an enterprise iOS app on their devices for the first time, they said.

“Apple did leave a loophole, however,” according to Bashan and Bobrov. “iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses.”

So by intercepting communications between a managed iOS device and the MDM server, an attacker could install malware over-the-air on devices running iOS 9. In order to exploit the SideStepping weakness using an MITM attack, however, an attacker would first need to find a way to compromise a user system and get it to route traffic to a malicious server. Such a compromise can be accomplished via a phishing attack, Check Point said.

“The vulnerability is actually in the way Apple implemented this fix for making enterprise apps more difficult to install,” says Avi Rembaum, vice president of security solutions at Check Point. The changes that Apple made in the app distribution workflow with iOS 9 adds several steps intended to make it clear to the user that he or she is doing something that’s not typical behavior for an average user, he says.

“[But], it doesn’t address over-the-air installation of malicious enterprise apps should an attacker stage a MITM attack on a device’s communication with an MDM," he says.

Attacks of this type theoretically could be exploited on a mass scale, Rembaum says. “But it’s more likely that it’d be used to target a specific individual, or groups of individuals.”

Check Point says it informed Apple of the problem in October 2015.  “Apple responded in November 2015 that the behavior the research team demonstrated ‘is expected,'” Check Point said.

Related Stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.