Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Updates “Sideloading” Process in iOS 9 to Boost App Security

Updated “Sideloading” Process in iOS 9 Boosts App Security

Updated “Sideloading” Process in iOS 9 Boosts App Security

Apple’s newly announced iOS 9 comes with updated security features such as a revamped app sideloading process and improved two-factor authentication, both meant to keep users and their devices better protected from malware and compromise.

iOS 9, which will be available for download on Sept. 16, includes stronger device passcode protection and an updated two-factor authentication process (2FA) built directly into iOS, making it harder for others to gain unauthorized access to Apple ID accounts.

With the help of two-step verification, users can keep their Apple ID and personal information safer than before, if an attacker has managed to get hold of a user password. Apple also introduced Touch ID technology in iPad Pro, transforming users’ fingerprints into their new passwords.

The revamped application sideloading process in iOS 9 strengthens the security of end-user devices and enterprise environments further, Lookout explains in a blog post

By definition, sideloading involves the installation of applications on devices without going through the official App Store, a tactic often used by cybercriminals to distribute malware since they don’t need to go through the usual certification process.

Applications require an iOS enterprise developer certificate to be sideloaded, and companies often use them to distribute homegrown apps to their employees’ iPhones and iPads through links in emails or via dedicated websites. However, these certificates, some of which can be purchased by cybercrimals in underground markets, can be used to install malicous apps on any iOS device, some examples being WireLurker, XAgent or Hacking Team’s malware-packed iOS apps, Outlook’s David Richardson pointed out.

When sideloading an app in previous versions of iOS, users were required to trust its developer, and they could do so instantly. As soon as the user clicked on a link, a popup appeared prompting the user to install the program. The first time the user tried to run the application, another popup informed the device owner that the developer was not trusted and asked them to trust that developer.

The change in sideloading applications in iOS 9 slightly complicates the process for end-users, but ensures that devices used in enterprise environments represent a low risk for organizations: users can no longer trust a developer from the second dialog box, but need to head to the device’s settings for that.

The installation process is similar but, when the user tries to launch the sideloaded application, a notification that it comes from an untrusted developer appears. It can only be dismissed and appears each time the user attempts to launch the untrusted application.

To remove the notification and access the application, users need to go to Settings > General > Profiles, where a list of untrusted certificates is displayed. Clicking on a certificate offers the possibility to trust the developer, which allows for any application from that developer to run on the device.

Enterprises will certainly benefit from this change, especially since they can continue to distribute homegrown apps without having their employees go through the aforementioned steps, since apps pushed through MDM are automatically trusted.

“This is a significantly more complicated flow, which will weed out many of the people who will download apps without much caution, but it doesn’t negate the fact that it only takes one weak link to compromise the network. We anticipate that apps using enterprise certs to distribute via sideloading will also include walk-throughs on how to complete this process,” Richardson said.

Apperian also has a good write up on the impact that the new app signing process in iOS 9 may have on enterprises.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...