Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/31/2016
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Apples Workflow For Enterprise iOS App Distribution Vulnerable To Attack

Millions of iPhones and iPads running iOS 9 can be exploited if enrolled in mobile device management, Check Point Software says.

Security vendor Check Point Software Technologies has sounded the alarm on an apparent weakness in Apple’s application distribution workflow for enterprises that it says gives attackers an opening to install malware on iPhones and iPads used by enterprise users.

The SideStepper flaw affects iOS 9 devices enrolled with an enterprise Mobile Device Management (MDM) system and can be exploited to take complete control of vulnerable devices, Check Point warned. Potentially millions of iOS 9 devices enrolled in enterprise MDM systems are vulnerable to attack.

In a white paper, Check Point researchers Avi Bashan and Ohad Bobrov described the flaw as enabling adversaries to execute a man-in-the middle (MITM) attack for intercepting communications between a managed iOS device and the MDM server. Such an attack would allow threat actors to install malware of their choice on a vulnerable device and take full control of it without the user’s knowledge.

But in order to pull it off, an attacker first must compromise the user’s device.

The SideStepper vulnerability exists in the process that Apple offers to enterprises for installing internally developed iOS applications on iPhones and iPads.

Typically, users who want to download an iOS app can only get it through Apple’s official App Store, unless of course they have jailbroken their device. All apps in the App Store go through a thorough security review and vetting process and are digitally signed by Apple before they are available for download. Usually, only Apple-signed applications can run on non-jailbroken iOS devices.

Apple offers an Apple Developer Enterprise program for organizations that want to develop and install their own iOS apps without having to go through the company’s usual vetting process. For such organizations, Apple offers a signed enterprise certificate that can be used to sign internally developed iOS apps so they can be installed on enterprise iPhones and iPads.

Such enterprise certificates have been frequently abused in the past to distribute malicious and pirated applications. As Bashan and Bobrov note in the white paper, third-party app stores have in the past registered themselves as legitimate enterprises with Apple in order to obtain signed enterprise certificates from the company, which they have then used to distribute third-party apps.

In 2015, the issue gained considerable attention when the Hacking Team took advantage of an Apple enterprise certificate it owned and a previously discovered flaw dubbed Masque Attack to distribute a malicious app to devices running iOS versions 8.1.3 and earlier.

In order to address the shortcomings, Apple introduced some tighter security measures for enterprise app installation with the release of iOS 9, the two security researchers said. Enterprise users for instance have to go through a “maze of settings screens” to confirm the app’s developer when they want to install an enterprise iOS app on their devices for the first time, they said.

“Apple did leave a loophole, however,” according to Bashan and Bobrov. “iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses.”

So by intercepting communications between a managed iOS device and the MDM server, an attacker could install malware over-the-air on devices running iOS 9. In order to exploit the SideStepping weakness using an MITM attack, however, an attacker would first need to find a way to compromise a user system and get it to route traffic to a malicious server. Such a compromise can be accomplished via a phishing attack, Check Point said.

“The vulnerability is actually in the way Apple implemented this fix for making enterprise apps more difficult to install,” says Avi Rembaum, vice president of security solutions at Check Point. The changes that Apple made in the app distribution workflow with iOS 9 adds several steps intended to make it clear to the user that he or she is doing something that’s not typical behavior for an average user, he says.

“[But], it doesn’t address over-the-air installation of malicious enterprise apps should an attacker stage a MITM attack on a device’s communication with an MDM," he says.

Attacks of this type theoretically could be exploited on a mass scale, Rembaum says. “But it’s more likely that it’d be used to target a specific individual, or groups of individuals.”

Check Point says it informed Apple of the problem in October 2015.  “Apple responded in November 2015 that the behavior the research team demonstrated ‘is expected,'” Check Point said.

Related Stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13643
PUBLISHED: 2019-07-18
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the...
CVE-2019-13644
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
CVE-2019-13645
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.
CVE-2019-13646
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.
CVE-2019-13647
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.