Researchers have discovered a method that can be used to install malware on iOS devices by abusing the mobile device management (MDM) solutions used by many enterprises.
Security firm Check Point has classified the issue as a vulnerability, which it has dubbed “SideStepper.” While experts believe this is a “possible security flaw” in the iOS 9 operating system, Apple sees it as expected behavior.
Apple allows users to install applications on non-jailbroken iPhones and iPads only from the official App Store, where all apps are verified by the company before being made available for download. In order to allow enterprises to distribute internally-used apps without having to go through the verification process, Apple has created a Developer Enterprise Program. The program allows organizations to install internal apps on employee devices using enterprise certificates signed by Apple.
After seeing that enterprise certificates had been abused for malicious purposes, including by jailbreakers, spyware makers (Hacking Team and FinFisher), and malware creators (WireLurker and YiSpecter), Apple introduced new security features in iOS 9. Starting with iOS 9, users need to go through a process to verify the app developer before the application can be executed, unlike earlier version of iOS where such applications could be easily executed as users were only shown a message when they first opened the app to inform them that it came from an unknown developer.
The SideStepper technique, which Check Point researchers will detail at the Black Hat Asia conference on Friday, allows attackers to install potentially malicious apps on iOS devices by abusing MDM solutions.
MDM solutions allow enterprises to easily manage their employees’ mobile devices, including to install apps, deploy security policies, and remotely wipe lost or stolen phones. The problem is that malicious actors can launch man-in-the-middle (MitM) attacks against such products.
According to Check Point, an attacker can conduct an MitM attack by installing a malicious iOS configuration profile that allows them to install a root CA and route traffic through a VPN or proxy to a server they control.
When the MDM solution is used to send a command to an iOS device, the attacker can intercept the command and replace it with a request to install an arbitrary application. The victim will not see any suspicious activity as the MDM app installation process doesn’t require the user’s explicit trust, making it difficult to distinguish legitimate enterprise apps from bogus programs delivered by hackers.
According to experts, the method can be used to deliver malware that is designed to capture screenshots, log keystrokes, harvest sensitive information, and hijack the camera and microphone.
Check Point has advised enterprises to implement solutions that enable them to assess the risk of malicious enterprise applications on mobile devices, and not to rely on the judgement of end users in BYOD environments.