Apple’s Developer Enterprise Program has been abused in the recent past to push malicious apps onto iOS devices, most notably with the WireLurker, XcodeGhost and YiSpecter attacks.
In all three cases, attackers legitimately obtained certificates under the program, which is available to enterprises wishing to develop and internally distribute mobile apps for their workforces without having to publish them on the App Store.
Since iOS 9, Apple has made it more difficult for rogue apps and adware to find their way onto devices. Users, for example, must go through and approve steps via a verification process before apps are allowed to execute.
Check Point Software Technologies researchers, however, found another soft spot in the process whereby attackers can use phishing or other social engineering attacks to trick users into installing a malicious configuration file that allows a hacker to sit in a man-in-the-middle position between the device and mobile device management tools. Hackers can abuse this situation, which Check Point is calling SideStepper, to install new settings and root CAs that allow them to redirect traffic to an attacker-controlled proxy. From there, malicious apps can be pushed to devices that expose the user to a host of security and privacy risks.
Check Point, which is scheduled to present its findings Friday at Black Hat Asia, notified Apple last October. Check Point published its findings in a report today. Apple’s response is that the behavior is “expected.” Since the attacks rely on phishing and social engineering, its unknown whether Apple will address this or continue to advise users not to click on untrusted links. Apple would not comment on the record.
Mobile device management tools, meanwhile, are core technologies for large organizations wishing to maintain some kind of handle on mobile devices accessing enterprise assets. The tools are used to push configuration profiles, security policy and much more to devices; many allow for the use of personal devices on the network, and compartmentalize them so that only enterprise data can be wiped in the event a device is lost or the employee leaves a company.
“The certificate will configure a VPN tunnel that will enable the attacker to insert a communication path between the phone and the MDM server,” said Avi Rembaum, vice president of security solutions at at Check Point. “That then becomes their distribution vehicle for malicious apps. With the man-in-the-middle attack, the MDM system simplifies application distribution and allows the attacker to bypass iOS 9 protections, opens the phone to a breach and gives them access to data on the phone.”
Check Point also shared data from a study of 5,000 iOS devices belonging to a Fortune 100 company; the company built more than 300 enterprise apps and was issued 116 unique enterprise certs from Apple, but only 11 were on a list of whitelisted developers. The remaining certificates belonged to developers with either negative reputations or very little indication of previously having developed iOS apps.
“You do have a gray area of risk that’s created,” Rembaum said. “Within this area, apps distributed by the enterprise program allow for malicious activity and abuse of the public API space of the phone. An attacker can use this to access the microphone, camera, device location. There’s a lot of information that can be used to go after individuals or to build a social engineering campaign to go after an entire company.”