Researchers at security firm CheckPoint have discovered a new way to attack iPhones and iPads using a twist on previous methods that rely on rogue enterprise developer certificates to install a malicious app.
Apple offers enterprise certificates to allow businesses to distribute apps outside the App Store and without undergoing Apple's app-review process.
However, these certificates have been hijacked in the past for signing malicious apps. Before iOS 9, users attempting to install an enterprise app would only need to tap 'Trust' once to install an app from a developer that isn't trusted by the App Store.
Variations on the attack have enabled criminals to install malware on non-jailbroken iOS devices, by exploiting the tendency among some people to ignore security warnings.
Recent examples include YiSpecter, WireLurker, XCodeGhost, and malware from Italian spyware vendor Hacking Team, to name a few. It's also posed a greater threat to users in China where it's more common to acquire apps from outside the App Store.
Since iOS 9, Apple has raised the bar for trusting enterprise apps by requiring the user to go through multiple steps in settings to verify an untrusted developer before the app can be executed.
However, CheckPoint highlights in a new paper that to counter the additional complexity in iOS 9 when installing enterprise apps, Apple has designed it to trust any app installed by a mobile-device management (MDM) system.
BYOD and corporate devices can be centrally administered after enrolling them with the company-controlled MDM platform.
The potential weak point in this scenario -- and one that is outside Apple's control -- is that MDM platforms can be vulnerable to a man-in-the-middle attack.
Still, for this weakness to be exploited, a target must be tricked into installing a malicious configuration profile.
Configuration profiles are created with Apple Configurator, and can be distributed via a webpage, email, and in other ways, to control features such as VPN, Wi-Fi, and credentials.
Apple, for example, distributes configuration profiles to beta testers, but CheckPoint highlights that an attacker may use them to switch messages from an MDM.
"Once installed, this malicious profile allows an attacker to stage a man-in-the-middle (MitM) attack on the communication between the device and an MDM solution. The attacker can then hijack and imitate MDM commands that iOS trusts, including the ability to install enterprise apps over the air," CheckPoint notes.
"Since iOS trusts these apps, and because the installation process is familiar to the user, infection is seamless and immediate," it adds.
CheckPoint has called the vulnerability SideStepper and reported the issue to Apple in October 2015. However, Apple reported back that the behavior was "expected".