iOS Sandbox Vulnerability Puts Enterprises at Risk
Organizations using mobile device management (MDM) solutions are exposed to cyberattacks due to a vulnerability uncovered by researchers in the third-party app sandbox of the Apple iOS operating system.
MDM and enterprise mobility management (EMM) solutions from vendors like AirWatch, MobileIron and Good allow organizations to manage access from employee mobile devices to corporate apps, data and email.
New devices are added to the system by creating an MDM account and installing the MDM client on the device. This enables IT teams to push corporate apps, including configuration and credentials, to the mobile devices, giving employees easy access to corporate resources.
The problem, according to mobile security firm Appthority, is that the third-party app sandbox in iOS versions prior to 8.4.1 is plagued by a vulnerability (CVE-2015-5749) that exposes the configuration settings of managed applications.
Since the information is stored “world readable,” a malicious app can read the preferences of managed applications, including server identification information and authentication data such as usernames, passwords and tokens, the mobile security firm said. Normally, access to the configuration files of managed apps should be limited to the corresponding application; the files should not be accessible to all applications on the device.
Attackers can exploit the vulnerability, dubbed "Quicksand" by Appthority, by developing a malicious application that is likely to be installed by enterprise users -- for example, a productivity tool. The malware could be distributed via iTunes or through spear phishing emails.
“Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker. Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question,” Appthority explained in a blog post.
Tests conducted by the security firm have shown that MDM clients, corporate apps designed to provide access to work email and business documents, and secure browsers used for enterprise network access are the most dependent on managed configurations.
“We also found apps used in the healthcare industry, giving doctors access to patient data and records (a likely HIPAA violation),” Appthority said.
Researchers found that nearly half of these applications’ managed settings referenced credentials, while 67 percent referenced server identification data.
Apple has patched the vulnerability with the release of iOS 8.4.1. However, Appthority has determined that as many as 70 percent of iOS devices are not running the latest version of the operating system, even months after the update is released.
Appthority says it has been working with its MDM partners to implement sensitive data handling best practices. The company recommends provisioning sensitive information using URI schemes, storing credentials using the device keychain, and leveraging iOS’s single-sign-on profiles when possible.
UPDATE. MDM vendors MobileIron and Good Technology have provided the following statements to SecurityWeek:
Dr. Nicko van Someren, CTO at Good Technology:
“All Good apps and Good-secured apps developed on the Good Dynamics Secure Mobility Platform are not vulnerable to Quicksand because of our secure containerization approach to protecting content, configuration and credentials. We call these the 3 C’s of Security (we have a great white paper here).
That said, appthority has identified a genuine issue with the implementation of device management on iOS, which Apple has now fixed. It raises issues around implementation, not design. Since managed devices are readable by all apps, if you have configuration in there then that is also readable by all apps. Quicksand reinforces the more general class of vulnerabilities that come from relying on the devices security for protecting credentials and configuration.
As a result, this is why Good Technology strongly recommends mobile data management and a containerization approach to protect both configuration and credentials.”
MobileIron Statement on iOS ”Quicksand“ Security Issue:
“MobileIron technologies including Mobile@Work, Docs@Work, and AppConnect do not store any sensitive data in the managed app configuration. Therefore, there is no significant security impact if the configuration data is accessed by an unauthorized application.
At the same time, we recommend that customers review their non-MobileIron apps that leverage Managed App Configuration to ensure that no sensitive data is present in the Managed App Configuration. Examples of sensitive data include passwords, PINs, keys, or other user Personally Identifiable Information (PII).
As a best practice, we have always recommended that Managed App Configuration should not contain any sensitive information for any app.
MobileIron customers can get more details here.”