Organizations using mobile device management (MDM) solutions are exposed to cyberattacks due to a vulnerability uncovered by researchers in the third-party app sandbox of the Apple iOS operating system.
MDM and enterprise mobility management (EMM) solutions from vendors like AirWatch, MobileIron and Good allow organizations to manage access from employee mobile devices to corporate apps, data and email.
New devices are added to the system by creating an MDM account and installing the MDM client on the device. This enables IT teams to push corporate apps, including configuration and credentials, to the mobile devices, giving employees easy access to corporate resources.
The problem, according to mobile security firm Appthority, is that the third-party app sandbox in iOS versions prior to 8.4.1 is plagued by a vulnerability (CVE-2015-5749) that exposes the configuration settings of managed applications.
Since the information is stored “world readable,” a malicious app can read the preferences of managed applications, including server identification information and authentication data such as usernames, passwords and tokens, the mobile security firm said. Normally, access to the configuration files of managed apps should be limited to the corresponding application; the files should not be accessible to all applications on the device.
Attackers can exploit the vulnerability, dubbed “Quicksand” by Appthority, by developing a malicious application that is likely to be installed by enterprise users — for example, a productivity tool. The malware could be distributed via iTunes or through spear phishing emails.
“Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker. Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question,” Appthority explained.
Tests conducted by the security firm have shown that MDM clients, corporate apps designed to provide access to work email and business documents, and secure browsers used for enterprise network access are the most dependent on managed configurations.
“We also found apps used in the healthcare industry, giving doctors access to patient data and records (a likely HIPAA violation),” Appthority said.
Researchers found that nearly half of these applications’ managed settings referenced credentials, while 67 percent referenced server identification data.
Apple has patched the vulnerability with the release of iOS 8.4.1. However, Appthority has determined that as many as 70 percent of iOS devices are not running the latest version of the operating system, even months after the update is released.