A new threat looms against iPhones and iPads by sidestepping Apple’s Gatekeeper mechanism, a security vendor said.
Check Point software said the threat, which it dubbed SideStepper, particularly targets enterprise apps on iOS devices with a mobile device management (MDM) solution.
“SideStepper is a vulnerability that allows an attacker to circumvent security enhancements in iOS 9 meant to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally,” it said.
But it noted enterprise apps installed using an MDM are exempt from such security enhancements, potentially allowing attackers to spoof trusted MDM commands and attack.
The attacks may include over-the-air installation of apps signed with enterprise developer certificates, it added.
It said this vulnerability can potentially affect millions of iPhone or iPad devices enrolled with an MDM solution.
“(An attacker can convince) a user to install a malicious configuration profile on a device by using a phishing attack. This simple and often effective attack method uses messaging platforms like SMS, instant messaging, or email to trick users into clicking a malicious link,” it said.
Once installed, the malicious profile lets an attacker conduct a Man-in-the-Middle (MitM) attack on the communication between the device and an MDM solution.
“Without an advanced mobile threat detection and mitigation solution on the iOS device, there is little chance a user would suspect any malicious behavior had taken place. On a managed iOS device commands from an MDM are trusted, and because these commands appear to the user as coming from the MDM that already manages the device, the entire process seems authentic,” Check Point said.
The company said malicious apps that can be installed can:
– capture screenshots, including screenshots captured inside secure containers
– record keystrokes, threatening login credentials of personal and business apps and sites
– save and send sensitive information like documents and pictures to an attacker
– control sensors like the camera and microphone
For now, Check Point recommended that users ask their enterprises to deploy a mobile security solution that detects and stops advanced mobile threats.
“Examine carefully any app installation request before accepting it to make sure it’s legitimate,” it added.