Enterprise placed at risk by iOS sandbox vulnerability

Details have emerged concerning a severe iOS flaw which impacts mobile device management solutions.


A vulnerability which exploited iOS mobile device management (MDM) solutions was able to expose enterprise credentials used by apps and for corporate server access has been patched.

Last week, the iPad and iPhone maker fixed the 'Quicksand' flaw, CVE-2015-5749, which utilizes a third-party sandbox flaw to harvest credentials used by enterprise mobile applications.

According to mobile security firm Appthority, the previously unknown flaw impacts on MDM clients as well as any applications which are distributed through an MDM's Managed App Configuration settings, used to configure and store settings and data.

IT departments within the enterprise often push the credentials and authentication information necessary to set up accounts for MDM clients and distributed apps on corporate mobile devices. This is a convenient and relatively quick way to granting employees access to business apps and systems by configuring and control enterprise smartphones and tablets remotely.

However, a recently-discovered sandbox vulnerability within iOS allowed a mobile app or the MDM vendor app itself to monitor this sensitive data. As credentials are stored in a world readable format, any application exploiting this flaw can review the information sent by IT departments.

In a security advisory, Appthority's Enterprise Mobility Threat Team said this flaw could lead the way for threat actors to use spear-phishing or develop an app which has a chance of being installed on an unpatched enterprise device -- such as a productivity software -- which monitors the MDM stream for settings being written to the world-readable directory.

The vulnerability then allows malicious apps, distributed through iTunes, to harvest this data and send it back to the attacker.

"Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question," the security team says.

See also: Must-have iOS, Android productivity apps

In terms of severity, it depends on the specific enterprise user and whether corporate e-mail and business documents, as well as browser apps to access enterprise networks are involved. After running a global sweep of apps on enterprise-managed devices, Appthority says that 67 percent of apps reliant on configuration through MDM referenced server authentication tokens, which could become a serious security risk to businesses.

Appthority worked with Apple's security team to patch the flaw, and the vulnerability was resolved in the latest iOS 8.4.1 update. Users are encouraged to install the latest update to avoid becoming a victim of this vulnerability.

Read on: Top picks

In pictures: