BYPASSING THE ios GATEKEEPER

Similar documents
Enterprise Apps: Bypassing the Gatekeeper

ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER. Ohad Bobrov Avi Bashan

Protecting Android Mobile Devices from Known Threats

Enterprise Mobile Threat Report

Enterprise Mobile Security. Managing App Sideloading Threats on ios

How To Protect Your Mobile Device From Attack

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile Security: Threats and Countermeasures

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Mobile Device Management:

Software that provides secure access to technology, everywhere.

Mobile Device Management

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Secure Your Mobile Workplace

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

BYOD Guidance: BlackBerry Secure Work Space

Penetration Testing for iphone Applications Part 1

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

ios Enterprise Deployment Overview

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

The Cloud App Visibility Blindspot

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Securing Office 365 with MobileIron

Five Tips to Reduce Risk From Modern Web Threats

Security Best Practices for Mobile Devices

Threat Model for Mobile Applications Security & Privacy

Mobile First Government

End User Devices Security Guidance: Apple ios 8

Kony Mobile Application Management (MAM)

IBM Endpoint Manager for Mobile Devices

BYOD in the Enterprise

The Oracle Mobile Security Suite: Secure Adoption of BYOD

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

mobilecho: 5-Step Deployment Plan for Mobile File Management

Addressing NIST and DOD Requirements for Mobile Device Management

Cisco Mobile Collaboration Management Service

Future of Mobile App Security. Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Five Best Practices for Secure Enterprise Content Mobility

... Mobile App Reputation Services THE RADICATI GROUP, INC.

Bring Your Own Devices (BYOD) Information Governance Guidance

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Advanced Endpoint Protection Overview

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

Whitepaper. Mobile Security. The 5 Questions Modern Organizations Are Asking

SPEAR PHISHING UNDERSTANDING THE THREAT

Guidance End User Devices Security Guidance: Apple ios 7

Workday Mobile Security FAQ

Using the Apple Configurator and MaaS3360

Securing mobile devices in the business environment

ios Security The Never-Ending Story of Malicious Profiles Adi Sharabani Yair Amit CEO & Co-Founder Skycure CTO & Co-Founder

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Endpoint protection for physical and virtual desktops

Deploying iphone and ipad Security Overview

The Incident Response Playbook for Android and ios

Kaspersky Security for Mobile

ForeScout MDM Enterprise

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

Mobile Application Management

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Why Digital Certificates Are Essential for Managing Mobile Devices

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Good for Enterprise Good Dynamics

Symantec Mobile Management Suite

CERTIFIGATE. Front Door Access to Pwning hundreds of Millions of Androids. Avi Bashan. Ohad Bobrov

Application Security in the Software Development Lifecycle

Guideline on Safe BYOD Management

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

curbi for Schools Technical Overview October 2014

Adobe Flash Player and Adobe AIR security

Basic Security Considerations for and Web Browsing

Enterprise Mobility Report 06/2015. Creation date: Vlastimil Turzík

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

DUBEX CUSTOMER MEETING

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

IT Resource Management & Mobile Data Protection vs. User Empowerment

Critical Security Controls

Tutorial on Smartphone Security

Deploying iphone and ipad Mobile Device Management

Improve your mobile application security with IBM Worklight

Transcription:

BYPASSING THE ios GATEKEEPER AVI BASHAN Technology Leader Check Point Software Technologies, Ltd. OHAD BOBROV Director, Mobile Threat Prevention Check Point Software Technologies, Ltd. EXECUTIVE SUMMARY The Apple ios security paradigm is built on several main factors, one of them being that the Apple App Store offers a central distribution process that allows verification of nearly all code executed on iphones and ipads. However, recent attacks targeting ios (e.g., Masque Attack, WireLurker, Hacking Team, YiSpecter, to name a few) demonstrate that there are some inherent vulnerabilities in this ecosystem. This report covers one such vulnerability, which exposes ios users in the enterprise to cyberattacks. The Check Point research team has highlighted an attack vector a possible security flaw in Apple s ios 9 that allows threat actors to install malicious apps on enterprise employees iphones and ipads. The flaw enables threat actors to stage a Man-in-the-Middle attack that hijacks communications between managed ios devices and Mobile Device Management (MDM) solutions. This exploit could give threat actors control of devices, the data that resides on them, and even enterprise services, potentially impacting millions of ios users worldwide whose devices are managed by an MDM. Check Point s policy in such cases is to immediately notify the manufacturer of the product in which an attack vector has been found, to give the company an opportunity to resolve the situation. Accordingly, the Check Point research team s findings and a video demonstrating how a threat actor could attack an ios device were submitted to Apple s security team in October 2015. Apple responded in November 2015 that the behavior the research team demonstrated is expected. 2016 Check Point Software Technologies Ltd. All rights reserved 1

DEVELOPING APPS FOR IOS A substantial part of the ios value proposition hinges on providing superior security and privacy for users and their sensitive data. Apple uses several distinct approaches to achieve this, including: Sandboxing: Each app is embedded within a sandbox that limits its privileges and capabilities to access or operate within protected parts of the OS. Permissions: Apps that require certain access to resources to function must request specific permissions from the user. Signed code: Unless a device is jailbroken, only signed code can run on a device. This is done to ensure all code running on a device has received final approval from Apple and is safe to use. ios apps are strictly controlled by Apple. As part of its app strategy, Apple provides a single App Store for users to download apps to their devices. Developers must be registered in order to publish apps on the App Store. This enables Apple to control who s developing apps for its ecosystem and to banish developers who fail to meet its standards. ios developers can t develop apps anonymously if they want their apps distributed through the App Store. APP REVIEW PROCESS Each time a developer publishes a new version of an app, it must undergo a rigorous security review. This review process may take several weeks and is conducted according to a basic set of rules outlined in the App Store Review Guidelines. These rules filter out apps that contain improper content, that are low quality, or that have malicious intent. During the review, the app s content, functionality, behavior, APIs, and many other aspects are scrutinized to prevent malicious or dangerous apps from being published in the App Store. Although this process is thorough, Apple s review process can sometimes allow apps that include malicious code into the App Store (Apple Confirms Discovery of Malicious Code in Some App Store Products, New York Times, September 20, 2015). APPLE DEVELOPER ENTERPRISE PROGRAM Apple created the Apple Developer Enterprise Program to offer organizations a way to develop and distribute apps for internal enterprise use. These apps can be distributed quickly and directly to devices, enabling enterprises to develop apps that meet their business requirements without publishing them on the App Store. In this way, organizations can avoid a lengthy review process and, more importantly, keep these apps only for internal use by employees. 2016 Check Point Software Technologies Ltd. All rights reserved 2

WHAT IS AN ENTERPRISE CERTIFICATE? An enterprise certificate is a certificate signed by Apple that developers can use for signing apps they create in XCode. Apps signed with this certificate can be installed on ios devices without having to be vetted through the traditional App Store process. This is done not only for testing purposes but for enterprises who may want to develop apps themselves then distribute them to their employees without requiring that these employees install the app through the App Store. Developer Enterprise certificates have relaxed restrictions on the number and type of devices on which apps signed using these certificates can be installed. FROM THEORY TO PRACTICE: ENTERPRISE CERTIFICATE ABUSE Enterprise certificates are abused on a regular basis. Third-party app stores like vshare, 25PP, Kuaiyong, 7659, and others abuse certificates as a distribution method. These third-party app stores register as an enterprise with Apple to enter the program and obtain an enterprise certificate. They use the certificate to install apps on their customers devices, claiming they are staff members. Unfortunately, many examples of malicious abuse of enterprise apps can be found: 2013 FinFisher 2014 Masque Attack 2015 Hacking Team 2014 Pangu 2014 WireLurker 2015 YISpecter 2016 Check Point Software Technologies Ltd. All rights reserved 3

TEST CASE: HACKING TEAM One example of an attack that abused enterprise developer certificates is the case of the Hacking Team s ios malware, which in 2015 targeted ios versions 8.1.3 and earlier. The malware leveraged a vulnerability dubbed Masque Attack, which was discovered in 2014 and allowed enterprise apps to replace existing apps on a device, including system apps. The newly installed app kept the original app s directory and could steal any local cache that existed. To create an app with a matching bundle identifier (ID), a threat actor must use an enterprise certificate. This is because the bundle ID verification is performed when a developer submits an app to the App Store for review. Hacking Team used this attack method and abused an enterprise certificate they owned. Using this certificate, they created a malicious app disguised as the Newsstand app, which was native to ios until ios 9. The malware accessed the user s location, photos, and address book, and sent their data to a server they controlled. In addition, the malware installed a keyboard that recorded all keystrokes and sent them to the same server. The only way Hacking Team was able to leverage Masque Attack was by using an enterprise certificate to bypass the App Store bundle identifier check. CASE STUDY: FORTUNE 100 COMPANY Check Point researchers studied the use of enterprise apps in a Fortune 100 company, analyzing approximately 5,000 devices. These were the results: 318 unique enterprise apps were installed 116 unique enterprise certificates were used Of the 116 unique enterprise certificates, only 11 belonged to whitelisted developers with positive reputations and with a record of having previously developed apps. Most of the certificates belonged to developers with little or no information about their reputation. CASE STUDY: NON-APP STORE CERTIFICATES IN A FORTUNE 100 COMPANY 80 70 60 50 40 30 20 # of Certificates 10 0 Whitelisted Compromised Minimal Reputation No Reputation 2016 Check Point Software Technologies Ltd. All rights reserved 4

ORIGIN OF ENTERPRISE CERTIFICATES MORE THAN 70% OF THE ENTERPRISE APPS ORIGINATED IN CHINA AND OTHER COUNTRIES IN ASIA. BECAUSE THE APP STORE IN CHINA IS NOT AS WIDELY ADOPTED AS IN OTHER PARTS OF THE WORLD, DEVELOPERS THERE DISTRIBUTE APPS USING OTHER, ALTERNATIVE APP MARKETPLACES. 72% A HARD PROBLEM TO SOLVE Following the attacks shown on the timeline chart above, Apple understood the problem with enterprise apps. Enterprise apps cannot be eliminated, since many organizations are already heavily invested in this solution. However, Apple took certain steps to mitigate the threat. In response to what amounted to a significant vulnerability to their ecosystem, Apple introduced new security measures for enterprise apps in ios 9. The first action Apple took was to increase the complexity of executing enterprise apps. For instance, when the enterprise app is initially downloaded, the user must go through a maze of settings screens to verify the app s developer. Only after this verification process is complete can the app be executed. This process differs from previous versions of ios, in which the user was merely shown a message the first time the app was opened that stated it was from an unknown developer. Apple did leave a loophole, however. Enterprises use apps in myriad ways, and many users can t handle the new workflow for actively trusting apps. So ios natively trusts any app installed by MDM solutions, which are exclusively used by businesses. In fact, an app installed by an MDM will not show any indication of its origin. MOBILE DEVICE MANAGEMENT MDM solutions are often used by enterprises to support Bring Your Own Device (BYOD) programs, in which the company allows personal devices to be used to access corporate email and other corporate services. MDM is a central management tool that enables enterprises to manage policies on the devices used by their employees. Actions they can take include deploying security policies, remote wiping of lost or stolen devices, installing applications, and more. However, MDMs can also be exposed to Man-in-the-Middle (MitM) attacks. These attacks can allow easy installation of malicious enterprise apps over-the-air, because Apple gives apps installed using MDMs a free pass from heightened security measures. 2016 Check Point Software Technologies Ltd. All rights reserved 5

Malicious MDM-distributed apps can be abused by using the following process: 1. Install a malicious ios configuration profile. This is a native way to distribute a set of configuration settings like networking, security settings, root CAs, and more. A threat actor can craft a configuration profile that will install a root CA and route traffic through a VPN or a proxy to a malicious server, and then initiate a MitM attack. This configuration could be deployed using phishing attack. 2. Set up a remote enterprise app server to serve the malicious app. 3. Wait for a command to be sent to an ios device by an MDM: then, using a MitM attack, intercept and replace the command with a request to install a malicious app. The ios device will fetch from the remote enterprise app server and install it. 4. Execute commands using the malicious enterprise app which, because of the method used to install it, does not require explicit user trust. This means that users will not be able to distinguish between a legitimate enterprise app, an App Store app, or a bogus app installed by a threat actor. CONCLUSION 1. Apple s ios ecosystem has certain flaws in the enterprise app installation process that can allow unverified code to be introduced into the ios ecosystem. 2. Non-jailbroken devices are exposed to attacks by a threat actor using bogus enterprise apps. 3. Enterprises cannot rely on an end user s judgment in BYOD environments, since doing so introduces significant risk of exposure to malicious apps. 4. Enterprises should implement solutions that provide a clear way to view and assess the risk of malicious enterprise apps on mobile devices. IN-HOUSE APPS ARE NOT SUBMITTED TO THE APP STORE AND ARE NOT REVIEWED, APPROVED, OR HOSTED BY APPLE. YOU CAN DISTRIBUTE IN-HOUSE APPS EITHER BY HOSTING YOUR - ios Deployment Overview for Enterprise APP ON A SIMPLE INTERNAL WEB SERVER OR BY USING A THIRD-PARTY MDM OR APP MANAGEMENT SOLUTION. 2016 Check Point Software Technologies Ltd. All rights reserved 6

Apple and App Store are registered trademarks of Apple, Inc. 2016 Check Point Software Technologies Ltd. All rights reserved 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information