Enterprise Apps: Bypassing the Gatekeeper

Similar documents
BYPASSING THE ios GATEKEEPER

ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER. Ohad Bobrov Avi Bashan

Protecting Android Mobile Devices from Known Threats

How To Protect Your Mobile Device From Attack

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Enterprise Mobile Threat Report

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

OUT OF POCKET: A Comprehensive Mobile Threat Assessment of 7 Million ios and Android Apps FEBRUARY 2015 SECURITY REIMAGINED

Enterprise Mobile Security. Managing App Sideloading Threats on ios

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile Device Management:

BYOD Guidance: BlackBerry Secure Work Space

Security Best Practices for Mobile Devices

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

End User Devices Security Guidance: Apple ios 8

Mobile Device Management

Mobile Security: Threats and Countermeasures

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Penetration Testing for iphone Applications Part 1

The Truth About Enterprise Mobile Security Products

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Workday Mobile Security FAQ

Secure File Sync & Share with Acronis Access Advanced Date: July 2015 Author: Kerry Dolan, Lab Analyst

Mobile Security BYOD and Consumer Apps

Mobile Threat Intelligence Report

Mobile Device as a Platform for Assured Identity for the Federal Workforce

Software that provides secure access to technology, everywhere.

Secure Your Mobile Workplace

Five Tips to Reduce Risk From Modern Web Threats

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

The Cloud App Visibility Blindspot

of firms with remote users say Web-borne attacks impacted company financials.

Guideline on Safe BYOD Management

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Threat Model for Mobile Applications Security & Privacy

Detecting Cyber Attacks in a Mobile and BYOD Organization

The Oracle Mobile Security Suite: Secure Adoption of BYOD

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

BYOD in the Enterprise

Deploying. Mac. Five best practices

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

Securing Office 365 with MobileIron

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

Enterprise Security with mobilecho

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

IBM Endpoint Manager for Mobile Devices

NATIONAL CYBER SECURITY AWARENESS MONTH

MOBILE SECURITY: DON T FENCE ME IN

SECURING TODAY S MOBILE WORKFORCE

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

Embracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo.

IBM Security re-defines enterprise endpoint protection against advanced malware

Kaspersky Security for Mobile

Mac in the Enterprise

DUBEX CUSTOMER MEETING

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Sophistication of attacks will keep improving, especially APT and zero-day exploits

ios Enterprise Deployment Overview

ipad in Business The Top Considerations

Why should I care about PDF application security?

The Incident Response Playbook for Android and ios

Improve your mobile application security with IBM Worklight

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

SPEAR PHISHING UNDERSTANDING THE THREAT

BlackBerry 10.3 Work and Personal Corporate

Addressing NIST and DOD Requirements for Mobile Device Management

Mobile Application Security Sharing Session May 2013

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Mobile First Government

Using the Apple Configurator and MaaS3360

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

State of App Security

Android v ios Mobile Operating Systems

Total Enterprise Mobility

Understanding the Critical Ramifications of Apple s Impending ios VPN Changes

Ensuring the security of your mobile business intelligence

Kony Mobile Application Management (MAM)

Internet threats: steps to security for your small business

Deploying iphone and ipad Security Overview

Adobe Flash Player and Adobe AIR security

V ISA SECURITY ALERT 13 November 2015

Guidance End User Devices Security Guidance: Apple ios 7

CERTIFIGATE. Front Door Access to Pwning hundreds of Millions of Androids. Avi Bashan. Ohad Bobrov

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

Samsung SDS. Enterprise Mobility Management

Marble & MobileIron Mobile App Risk Mitigation

Three Best Practices to Help Enterprises Overcome BYOD Challenges

curbi for Schools Technical Overview October 2014

Securing Corporate on Personal Mobile Devices

Symantec Mobile Management Suite

Deploying iphone and ipad Apple Configurator

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

What We Do: Simplify Enterprise Mobility

Security for Mac Computers in the Enterprise

Transcription:

Enterprise Apps: Bypassing the Gatekeeper By Avi Bashan and Ohad Bobrov Executive Summary The Apple App Store is a major part of the ios security paradigm, offering a central distribution process that allows verification of nearly all code executed on iphones and ipads. However, there are a number of architectural flaws in this ecosystem. This report covers one such flaw that exposes ios users in the enterprise to cyberattacks. The Check Point research team has successfully exploited a security flaw in Apple s ios 9 that allows cybercriminals to install malicious apps on enterprise employees iphones and ipads. The flaw hinges on cybercriminals staging a Man-in-the-Middle attack that hijacks communications between managed ios devices and Mobile Device Management (MDM) solutions. This exploit could give cybercriminals control of devices and the data that resides on them, potentially impacting millions of ios users worldwide whose devices are managed by an MDM. The research team s findings and a video demonstrating an attack were submitted to Apple s security team in October 2015. Apple responded in November 2015 that the behavior the team demonstrated was expected. 1

Developing Apps for ios A substantial part of the ios value proposition hinges on providing superior security and privacy for users and their sensitive data. Apple uses several distinct approaches to achieve this, including: Sandboxing: Each app is embedded within a sandbox that limits its privileges and capabilities to access or operate within protected parts of the OS. Permissions: Apps that require certain access to resources in order to function must request specific permissions from the user. Signed code: Unless a device is jailbroken, only signed code can run on a device. This is done to ensure all code running on a device has received final approval from Apple and is safe to use. ios apps are strictly controlled by Apple. As part of Apple s app strategy, a single App Store lets users download apps to devices. Developers must be registered in order to publish apps on the App Store. This enables Apple to control who s developing apps for its ecosystem, and to banish developers who fail to meet its standards. ios developers can t develop apps anonymously if they want their apps on the App Store. App Review Process Each time a developer publishes a new version of an app, it must undergo a rigorous security review. This review process may take several weeks and is conducted according to a basic set of rules outlined in the App Store Review Guidelines 1. These rules filter out apps that contain improper content, that are low quality, or that have a malicious intent. During the review, the app s content, functionality, behavior, APIs, and many other aspects are scrutinized to prevent malicious or dangerous apps from being published in the App 1 https://developer.apple.com/app-store/review/guidelines/ 2

Store. Although this process is thorough, Apple s approval process can sometimes allow dangerous apps into the App Store 2. Apple Developer Enterprise Program Apple created the Apple Developer Enterprise program to offer businesses a way to develop and distribute apps for internal use. These apps can be distributed quickly and directly to devices, enabling enterprises to develop apps that meet their own business requirements without publishing them on the App Store. In this way, enterprise can avoid a lengthy review process and, more importantly, keep these apps out of the hands of nonemployees. In-house apps are not submitted to the App Store and are not reviewed, approved, or hosted by Apple. You can distribute in-house apps either by hosting your app on a simple internal web server or by using a third-party MDM or app management solution. - ios Deployment Overview for Enterprise What is a developer certificate? A certificate, signed by Apple, that developers can use for signing apps they create in XCode. Apps signed with this certificate can be installed on ios devices without having to be vetted through the traditional App Store process. This is done not only for testing purposes, but for enterprises who may want to develop apps themselves then distribute them to their employees without requiring that these employees install the app through the App Store. 2 https://en.wikipedia.org/wiki/xcodeghost 3

Enterprise App Capabilities Malicious enterprise apps can cause significant harm. Cyber criminals can use various methods to achieve malicious goals like: Abuse public APIs: Apple makes APIs available for developer use. During the review process, Apple makes sure that apps use APIs only for their expressed purpose. An enterprise app can abuse public APIs to gain extended capabilities, such as the VOIP API which can be abused in order to run an app in the background silently and constantly. Abuse private APIs: These APIs are internal Apple API. Apple forbids developers from using these in order to protect users sensitive data. However, since enterprise apps do not pass through Apple s review, developers can abuse them freely. Using these APIs, enterprise apps can access installed apps and sensitive information Apple tries to protect. Exploit: Enterprise apps can exploit the ios by jailbreaking it. In this scenario, apps can do virtually anything their creator wants, like controlling both the device and the user s information. There is very little that limits enterprise app developers from using these methods in a malicious way. The second line of defense is the ios user s trust. A user must explicitly approve an enterprise app for it to be installed. This is supposedly an effective way to prevent malicious enterprise apps from being installed. However, most users will still go through the extra steps to install an app, as can be seen from our field research, allowing enterprise apps to be installed regardless of their origin. Although developers of enterprise apps must sign an agreement not to abuse APIs or exploit the operating system, user trust alone cannot be considered a valid form of protection. 4

From Theory to Practice: Enterprise App Abuse Enterprise app certificates are abused on a regular basis. Third-party app stores like vshare, 25PP, Kuaiyong, 7659 and others abuse certificates as a distribution method. These third-party app stores register as an enterprise with Apple to enter the program and obtain an enterprise certificate. They use the certificate to install apps on their customers devices, claiming they are staff members. Unfortunately, many examples of malicious abuse of enterprise apps can be found: 5

Test case: Hacking Team One example of an attack that abused enterprise developer certificates is the case of the Hacking Team s ios malware, which in 2015 targeted ios versions 8.1.3 and earlier. The malware leveraged a vulnerability dubbed Masque Attack, which allows enterprise apps to replace existing apps on a device, including system apps. The newly-installed app keeps the original app s directory and can steal any local cache that existed. In order to create an app with a matching bundle identifier, an attacker must use an enterprise certificate, as bundle id verification is done when submitting an app to the App Store. Hacking Team used this attack method and abused an enterprise certificate they owned. Using this certificate, they created a malicious app disguised as the Newsstand app which was native to ios until ios 9. The malware accessed the user s location, photos and address book and sent their data to a server. In addition, the malware installs a keyboard which records all keystrokes and sends them to the server. The only reason Hacking Team could have leveraged the Masque Attack is because they used an enterprise certificate to bypass the App Store bundle identifier check. Case Study: Fortune 100 Company Check Point researchers studied the use of enterprise apps in a Fortune 100 company, analyzing approximately 5,000 devices. The results were intriguing: 318 unique enterprise apps were installed 116 unique enterprise certificates were used Of the 116 unique enterprise certificates, only 11 belonged to whitelisted developers with positive reputations and a record of having previously developed apps. Most of the certificates belonged to developers with little or no information about their reputation. 6

More than 70 percent of the enterprise apps originated in China and other Asian countries. Because the App Store in China is not as widely adopted as in other parts of the world, developers distribute apps to other app marketplaces. 7

A Hard Problem to Solve Following the attacks on the timeline above, Apple understood the problem with enterprise apps. Enterprise apps cannot be eliminated since many organizations are already heavily invested in this this solution. However, Apple did take certain steps to mitigate the threat. In response to what amounted to a significant vulnerability to their ecosystem, Apple introduced a new security measure for enterprise apps that will increase the complexity of executing enterprise apps. When the enterprise app is initially downloaded, the user must go through a maze of settings screens in order to verify the app s developer. Only after this verification process may the app be executed. This process differs from previous versions of ios, in which the user was merely shown a message the first time they opened an app that stated it was from an unknown developer. Apple did leave a loophole, however. Enterprises use apps in myriad ways, and many users can t handle the new workflow of actively trusting apps. So ios natively trusts any app installed by a Mobile Device Management (MDM) solution, which is exclusively used by businesses. In fact, an app installed by an MDM, will not show any indication of its origin. Mobile Device Management (MDM) MDM solutions are used often by enterprises to support BYOD (Bring Your Own Device) programs, in which the business allows personal devices to be used to access email and other corporate services. MDM is a central management tool that enables enterprises to manage policies on the devices used by their employees. Actions they can take include deploying security policies, remote wiping lost or stolen devices, installing applications and more. However, MDMs can be exposed to Man-in-the-Middle (MiTM) attacks which can be used to install enterprise apps. Combine this with Apple s policy of giving apps installed via MDM a free pass and you get a dangerous combination." 8

Bypassing the Gatekeeper MDM-distributed apps can be abused by using the following process: Installing an ios configuration profile: A native way to distribute a set of configuration settings such as networking, security settings, root CAs and more. An attacker can craft a configuration profile which will install a root CA and route traffic through a VPN or a proxy to a malicious server and initiate a MiTM attack. This configuration could be deployed through a phishing attack easily. Setting up a remote enterprise app server which serves the malicious app. Using a MiTM attack, an attacker can wait for a command sent by the MDM server. Once intercepted, the attacker can replace the command with an app install request. The ios device will fetch and install the malicious enterprise app. The malicious enterprise app can now execute without explicit user trust. The user will not be able to distinguish between legitimate enterprise, App Store apps, or a bogus app installed by an attacker. Conclusion 1. Apple s ios ecosystem allows unverified code to be introduced to the ios ecosystem through enterprise apps. 2. Non-jailbroken devices are exposed to attacks by a malicious actor using bogus enterprise apps. 3. Enterprises cannot trust the end user judgment in BYOD environments as Apple suggests since they will remain exposed, as we have demonstrated. 4. The additional security mechanisms that Apple has added to the enterprise apps execution may not be enough to mitigate the issue. 5. Enterprises should have a clear way to view and assess the enterprise Apps in their organizations. 2016 Check Point Software Technologies, Ltd. All rights reserved. Apple and App Store are registered trademarks of Apple, Inc. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information