The hacker can then impersonate the MDM server and push a malicious app signed with a stolen enterprise certificate to the device. In a targeted attack, the app could be crafted to masquerade as an app that the user expects to receive.
The device would display a confirmation prompt asking the user if he agrees to install the app or not, but even if he declines, the attacker can keep sending the request again and again. This would essentially prevent the user from doing anything on the device until he agrees to install the app, Shaulov said.
Because this method bypasses iOS 9's new restrictions for enterprise app deployments, the Check Point researchers have named the vulnerability Sidestepper.
The misuse of enterprise certificates is not uncommon. According to Shaulov, a scan performed on around 5,000 iOS devices belonging to one of Check Point's customers -- a Fortune 100 global company -- found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps, but at least two apps were part of known malware families.
Sign up for CIO Asia eNewsletters.