Corporate iOS Devices Targeted

Wednesday, April 6, 2016 @ 10:04 AM gHale


There is a new method to bypass iOS security protections in order to install malware on a device, researchers said.

This new attack, called SideStepper, targets iOS devices used in enterprise environments, usually enrolled in MDM (Mobile Device Management) setups, said researchers at Check Point.

RELATED STORIES
iOS Zero Day in iMessage Encryption
New Way to Hack iCloud Account
Abandoned App Details in Open
Trojan Hooks Apple’s FairPlay DRM System

MDM solutions usually end up installed in large companies that provide iOS devices to their workers, but also need custom apps to interface with their private data servers. Such apps can’t be hosted on Apple’s App Store, so Apple issues special enterprise certificates which the company then uses to sign these apps.

The employee then uses a process called app side-loading, which Apple allows, to install iOS apps from non-App Store sources.

In the past, malware authors have stolen enterprise certificates and used them to sign malicious apps which users would then side-load, fooled by advertising or the promise of features not found on the official App Store.

With the release of iOS 9, Apple has made the process of side-loading apps much harder, requiring much more user interaction.

Check Point researchers said they have discovered iOS users enrolled in an MDM setup can end up victimized by attackers to install additional apps, along their current enterprise-approved applications.

Researchers found they could send a malicious configuration profile (via SMS, IM, or email) to an iOS device already running MDM-approved apps that benefit from an Apple-approved enterprise certificate.

This malicious configuration profile piggybacks on the legitimate enterprise certificate to install malicious apps via a trivial MitM (Man-in-the-Middle) attack.

This method allows an attacker to deliver the malicious app to the device without being hindered by Apple’s security measures. The impact of this vulnerability depends on the type of malicious app the attacker wants to push to the device.