SideStepper vulnerability in iOS 9 endangers companies that use MDM to distribute apps

Mobile device management solutions pose a threat to device-holders if MDM communications via iOS are successfully hijacked by bad actors, according to a new report.
Mobile device management solutions pose a threat to device-holders if MDM communications via iOS are successfully hijacked by bad actors, according to a new report.

Apple's iOS 9 added safeguards for businesses to help prevent employees from downloading malicious software posing as legitimate enterprise apps, but researchers now warn that the use of mobile device management (MDM) technology within companies opens up a loophole in these protections.

According to a new research report from Check Point Software Technologies, MDM solutions, which allow companies to distribute software to employees' mobile devices en masse across its enterprise, pose a threat to device-holders if MDM communications via iOS are successfully hijacked by bad actors. This vulnerability has been assigned the nickname SideStepper.

To pull off a SideStepper scam, an attacker would first trick an employee into installing a malicious configuration file by clicking on a link in a phishing email, SMS text message or instant message. This newly created profile then sets the stage for a Man-in-the-Middle attack, whereby device-holders think they've received an over-the-air app download on their devices from corporate IT, when it's actually a malicious enterprise app sent from cyber-criminals who have hijacked the MDM exchange.

A malicious enterprise app could allow bad actors to completely take over the phone, endangering not only the device-holder but potentially the enterprise if confidential or sensitive documents, files or contacts are impacted. The criminals could potentially capture screenshots, even those captured inside secure containers, as well as record keystrokes.

Normally under iOS 9, as a precaution, a user who downloads an enterprise app on his device must first go through a series of settings screens to verify the app's developer before actually executing the programme. But MDM solutions skip these steps for the sake of expediency and efficient business workflow—“so iOS natively trusts any app installed by MDM solutions,” the report explains. “In fact, an app installed by an MDM will not show any indication of its origin.”

Furthermore, the app download and approval process looks exactly the same regardless of which MDM solution a company is using, making it easy for cyber-criminals to convincingly spoof the process, as no special customisation is necessary.

“The issue is not with the MDM companies,” said Michael Shaulov, head of mobility product management at Check Point Software Technologies, in an interview with SCMagazine.com. “The [MDM] communication API is not developed by the various MDM developers. It's actually something provided by Apple, so Apple is responsible” for correct this flaw. CheckPoint informed Apple of this vulnerability in late 2015 and it is not known when the company will address it. SCMagazine.com has reached out to Apple for comment. In the meantime, said, Shaulov, businesses can help themselves by coupling their MDM solutions with a proven mobile threat intelligence solution.