Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management products.
In a presentation at the Black Hat Asia security conference on Friday, researchers from Check Point Software Technologies will demonstrate that the communication between MDM products and iOS devices is susceptible to man-in-the-middle attacks and can be hijacked to install malware on non-jailbroken devices with little user interaction.
Apple's tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware.
The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.
In older versions of iOS, deploying an app signed with an enterprise certificate required the user to open a link where the app was hosted, agree to trust the developer and then agree to install the app. The process required user interaction, but it was easy enough to be abused in social engineering attacks that tricked users into performing the required steps.
According to Michael Shaulov, the head of mobility product management at Check Point, Apple decided to address this risk in iOS 9 by adding additional steps to the enterprise app deployment process. But, it left open a loophole: the way in which MDM products install apps on iOS devices remained unaffected.
Companies use MDM products to control, configure, secure and, if necessary, wipe their employees' mobile devices. These products also include private app stores that allow companies to easily deploy apps to their employees' devices.
The Check Point researchers found that the MDM protocol implemented in iOS is susceptible to man-in-the-middle attacks and can be used to install malware on non-jailbroken devices.
The attack would only work against devices that are registered to an MDM server, but many mobile devices used in enterprise environments are.
Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn't be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings.
The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device's Internet connection. This would route the device's traffic through a server under the attacker's control and would enable the man-in-the-middle attack.
Sign up for CIO Asia eNewsletters.