Flaw in managed app configuration on iOS devices puts corporate data at risk

News by Rene Millman

"Quicksand" sandbox vulnerability could enable rogue apps

It is being claimed that a flaw in Apple's iOS sandbox could open up sensitive business data to hackers.

Dubbed “Quicksand” by mobile security firm AppAuthority, the flaw stems from a permissions issue in the managed app configuration system. According to Kevin Watkins, chief architect at AppAuthority, Apple had stored enterprise credentials in a directory that could be read by anyone and thus was susceptible to data theft.

The managed application configuration system was introduced with iOS 7 and affects all iPhone, iPod touch, iPad devices running iOS 7 and later. 

The vulnerability allows a malicious app, or hacker that gains access to a device, to read other installed mobile apps' managed preferences, giving criminals the ability to collect credentials and steal other sensitive company data.

The security firm disclosed the flaw to Apple, which in turn fixed the vulnerability in the most recent iOS 8.4.1 security update.

But many firms remain at risk from the bug as many mobile devices are still running outdated iOS versions without the security patch. Also many Mobile Device Management (MDM) Enterprise Mobility Management (EMM) solutions are not using best practices in regard to credential storage protocols.

According to research carried out by AppAuthority, around 70 percent of enterprise Apple devices are still running an obsolete iOS version. Therefore, even with the recent release of iOS 8.4.1, the Quicksand vulnerability will remain an enterprise security risk.

 Among the affected apps, 47 percent included credentials, such as passwords, usernames, and authentication tokens. Some 67 percent included server identification details.

Watkins said that “storing any credentials or authentication tokens on the mobile device file system should be avoided.”

“Although this sandbox violation has been patched by Apple, the patch only protects devices which update to iOS 8.4.1. Further, even on devices that are patched, the risk exists that the mobile device is compromised and no amount of sandboxing will protect the data stored on the iOS device.”

He added that if this option is unavoidable, he recommended not using this mechanism to provision secret/confidential data and ensuring that credentials and other secrets should always be stored using the device keychain. A possible way to provision this data would be to use URL schemes.

TK Keanini, CTO at Lancope, told SCMagazineUK.com that the most effective measure to force employees to update their phones to the latest version of the operating system would be by clear and frequent communication.

"Most mobile users update more often than PC /laptop users because a mobile is often set to automate much of this.  Nonetheless, this attack is in the very technology to administer this update," he said.

He added that the severity of the flaw depends on the organisation and the user of the system but technically there is a good reason it was targeted. "Compromising the MdM means you have administrative control over the device," he said.

"Organisations should have already planned on this threat scenario and the communication to its user.  Update and fix your phone and plan on this happening again," he added.

Jens Morad, systems engineer at FireEye, told SCMagazineUK.com that any flaw which allows an attacker to access potentially sensitive and corporate information is bad.

"As far as I am aware, we have not seen this sort of thing used before in the wild. However, since the exploit has now been exposed, it will only be a matter of time before we see someone trying and use it either in a targeted or a opportunistically-driven attack. We know that cyber-criminals are becoming quick adopters of documented exploits, so the time for upgrading a device is critical," he said.

"Enterprises need to make sure they have a plan for emergency patching and updates in order to protect themselves from these sorts of attacks. It is crucial that enterprises who rely on scheduled changes consider moving into a more dynamic way of applying patches in general," he added.

Andrew Conway, research analyst at Cloudmark, told SCMagazineUK.com that If an organisation's MDM can't force an operation system upgrade, or at least report on the iOS version in use on each device so that users who have not upgraded can be locked out of the system, then organisations may need to consider using a different MDM.

He added that if an enterprise is a high value target for APTs, then they  shouldn't be using iOS in the first place.

"iOS is a closed system. You get the level of security that Apple provides, and while this is good for personal and most commercial use, there is no way to harden it to military or government standards. While an off-the-shelf Android is less secure than an iPhone, since it is an open source system you have the option of improving the security to any required level or purchasing a hardened Android system such as Blackphone or Cryptophone," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews