MDM Vulnerability In Apple iOS Sandbox Facilitates 'Rogue Apps'

An anonymous reader writes: A vulnerability in Apple's iOS sandbox, which could affect personal information as well as configuration settings, has been discovered by Appthority's Enterprise Mobility Threat Team. It affects all mobile device management (MDM) clients, and any mobile applications distributed by an MDM that use the "Managed App Configuration" setting for private data. An attacker could potentially create a rogue app, perhaps masquerading as a productivity tool to increase the chances of it getting installed, and then distribute the attack by means of the iTunes store or "spear fishing" email attacks.

*yawn*

[plsuh]

This is a second-order attack that only affects MDM clients, and then only if they've installed a rogue app AND the MDM is pre-provisioning with sensitive data. It's also already patched. It's easy to check the OS version on iOS devices tied to an MDM so that the IT department knows which ones need updates.

Nice catch on the security side, but not a real humdinger.

--Paul

Has been fixed in iOS 8.4.1

[Mojo66]

From the article:

We’ve worked directly with the Apple Security Team since this was discovered leading to the fix rolled in the latest iOS update (8.4.1).

Although this sandbox violation has been patched by Apple, the patch only protects devices which update to iOS 8.4.1; Appthority has identified that up to 70% of iOS devices are not running the latest version of iOS, even several months after an update is issued.

A good ./ submitter would have read the complete article and recommended in the summary to upgrade to 8.4.1.

Re:Has been fixed in iOS 8.4.1

[Karlt1]

And if these are managed devices, it doesn't matter that " 70% of iOS devices are not running the latest version of iOS". Whoever is responsible for managing the devices can tell which OS the device is running and tell the users to update.