Slashdot Mirror

← Back to Stories (view on slashdot.org)

MDM Vulnerability In Apple iOS Sandbox Facilitates 'Rogue Apps'

Posted by Soulskill on from the that's-the-one-with-the-lion-right? dept.

An anonymous reader writes: A vulnerability in Apple's iOS sandbox, which could affect personal information as well as configuration settings, has been discovered by Appthority's Enterprise Mobility Threat Team. It affects all mobile device management (MDM) clients, and any mobile applications distributed by an MDM that use the "Managed App Configuration" setting for private data. An attacker could potentially create a rogue app, perhaps masquerading as a productivity tool to increase the chances of it getting installed, and then distribute the attack by means of the iTunes store or "spear fishing" email attacks.

13 comments

  1. *yawn* by plsuh · · Score: 5, Informative

    This is a second-order attack that only affects MDM clients, and then only if they've installed a rogue app AND the MDM is pre-provisioning with sensitive data. It's also already patched. It's easy to check the OS version on iOS devices tied to an MDM so that the IT department knows which ones need updates.

    Nice catch on the security side, but not a real humdinger.

    --Paul

    1. Re:*yawn* by Anonymous Coward · · Score: 0

      thanks for the info!

  2. Has been fixed in iOS 8.4.1 by Mojo66 · · Score: 3, Interesting

    From the article:

    We’ve worked directly with the Apple Security Team since this was discovered leading to the fix rolled in the latest iOS update (8.4.1).

    Although this sandbox violation has been patched by Apple, the patch only protects devices which update to iOS 8.4.1; Appthority has identified that up to 70% of iOS devices are not running the latest version of iOS, even several months after an update is issued.

    A good ./ submitter would have read the complete article and recommended in the summary to upgrade to 8.4.1.

    1. Re:Has been fixed in iOS 8.4.1 by Karlt1 · · Score: 3, Insightful

      And if these are managed devices, it doesn't matter that " 70% of iOS devices are not running the latest version of iOS". Whoever is responsible for managing the devices can tell which OS the device is running and tell the users to update.

    2. Re: Has been fixed in iOS 8.4.1 by valkraider · · Score: 1, Offtopic

      While ï£Music is a steaming pile of poo - and ï£Music certainly has raised havoc with my personal music library - I would say that " They flat-out break the device in order to push Apple's streaming music service." is not even close to true. I have 6 devices functioning perfectly fine on 8.4.1 (for everything except playing music via Apple's apps).

    3. Re: Has been fixed in iOS 8.4.1 by valkraider · · Score: 0

      The apple symbol didn't appear to work on the Slashdot mobile input form... So where you see ï£Music - read that as "AppleMusic".

    4. Re: Has been fixed in iOS 8.4.1 by Anonymous Coward · · Score: 0

      The apple symbol didn't appear to work on the Slashdot mobile input form... So where you see ï£Music - read that as "AppleMusic".

      I read this i-Pound-Music. Fitting.

    5. Re:Has been fixed in iOS 8.4.1 by DrVxD · · Score: 1

      A good ./ submitter

      Are you aiming for some kind of "Oxymoron of the year" award?

      --
      Not everything that can be measured matters; Not everything that matters can be measured.
    6. Re: Has been fixed in iOS 8.4.1 by Anonymous Coward · · Score: 0

      for everything except playing music via Apple's apps

      Problem is I do this on a daily basis. I'm hooked on their iTunes-iDevice 2-way sync (I have smart playlists that depend on when songs were last played and/or play count, it's great), so moving to a third party music player and losing that functionality isn't an appealing proposition. I'm still on 8.1.2 (the version that came with my device).

      I'd really like to try some of the new features in iOS 9 (Safari content blockers FTW), but it isn't worth the risk of Apple Music. FU, Apple! :(

  3. Interesting, but by 93+Escort+Wagon · · Score: 1

    I can't find the numbers, but I suspect only a trivially small percentage of iOS devices are MDM managed - at present anyway.

    --
    #DeleteChrome
    1. Re:Interesting, but by whh3 · · Score: 1

      Although it is a small number, those who use the MDM features think that their client devices are impenetrable because they've applied this technology. It feels like corporate IT departments want to just wash their hands of the responsibility for really working with (protecting) their client devices -- they wash their hands of responsibility as soon as they deploy MDM.

      As far as I can tell, MDM on these devices (or any device, really) only works if the device can phone home (as far as remote wipe, etc, go). So, there is no way to prevent someone from running brute force attacks for the entirety of the time they are able to keep them offline.

      --
      remove nospam. to email!