Apple’s Workflow For Enterprise iOS App Distribution Vulnerable To Attack

Millions of iPhones and iPads running iOS 9 can be exploited if enrolled in mobile device management, Check Point Software says.

Security vendor Check Point Software Technologies has sounded the alarm on an apparent weakness in Apple’s application distribution workflow for enterprises that it says gives attackers an opening to install malware on iPhones and iPads used by enterprise users.

The SideStepper flaw affects iOS 9 devices enrolled with an enterprise Mobile Device Management (MDM) system and can be exploited to take complete control of vulnerable devices, Check Point warned. Potentially millions of iOS 9 devices enrolled in enterprise MDM systems are vulnerable to attack.

In a white paper, Check Point researchers Avi Bashan and Ohad Bobrov described the flaw as enabling adversaries to execute a man-in-the middle (MITM) attack for intercepting communications between a managed iOS device and the MDM server. Such an attack would allow threat actors to install malware of their choice on a vulnerable device and take full control of it without the user’s knowledge.

But in order to pull it off, an attacker first must compromise the user’s device.

The SideStepper vulnerability exists in the process that Apple offers to enterprises for installing internally developed iOS applications on iPhones and iPads.

Typically, users who want to download an iOS app can only get it through Apple’s official App Store, unless of course they have jailbroken their device. All apps in the App Store go through a thorough security review and vetting process and are digitally signed by Apple before they are available for download. Usually, only Apple-signed applications can run on non-jailbroken iOS devices.

Apple offers an Apple Developer Enterprise program for organizations that want to develop and install their own iOS apps without having to go through the company’s usual vetting process. For such organizations, Apple offers a signed enterprise certificate that can be used to sign internally developed iOS apps so they can be installed on enterprise iPhones and iPads.

Such enterprise certificates have been frequently abused in the past to distribute malicious and pirated applications. As Bashan and Bobrov note in the white paper, third-party app stores have in the past registered themselves as legitimate enterprises with Apple in order to obtain signed enterprise certificates from the company, which they have then used to distribute third-party apps.

In 2015, the issue gained considerable attention when the Hacking Team took advantage of an Apple enterprise certificate it owned and a previously discovered flaw dubbed Masque Attack to distribute a malicious app to devices running iOS versions 8.1.3 and earlier.

In order to address the shortcomings, Apple introduced some tighter security measures for enterprise app installation with the release of iOS 9, the two security researchers said. Enterprise users for instance have to go through a “maze of settings screens” to confirm the app’s developer when they want to install an enterprise iOS app on their devices for the first time, they said.

“Apple did leave a loophole, however,” according to Bashan and Bobrov. “iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses.”

So by intercepting communications between a managed iOS device and the MDM server, an attacker could install malware over-the-air on devices running iOS 9. In order to exploit the SideStepping weakness using an MITM attack, however, an attacker would first need to find a way to compromise a user system and get it to route traffic to a malicious server. Such a compromise can be accomplished via a phishing attack, Check Point said.

“The vulnerability is actually in the way Apple implemented this fix for making enterprise apps more difficult to install,” says Avi Rembaum, vice president of security solutions at Check Point. The changes that Apple made in the app distribution workflow with iOS 9 adds several steps intended to make it clear to the user that he or she is doing something that’s not typical behavior for an average user, he says.

“[But], it doesn’t address over-the-air installation of malicious enterprise apps should an attacker stage a MITM attack on a device’s communication with an MDM,” he says.

Attacks of this type theoretically could be exploited on a mass scale, Rembaum says. “But it’s more likely that it’d be used to target a specific individual, or groups of individuals.”

Check Point says it informed Apple of the problem in October 2015.  “Apple responded in November 2015 that the behavior the research team demonstrated ‘is expected,’” Check Point said.

Related Stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights