Apple users are vulnerable to sandbox vulnerability

Experts discovered that the sandbox vulnerability affects all apps that use the managed app configuration setting in devices that run older versions.

Kevin Watkins, a security researcher from Appthority, argues that users without iOS 8.4.1 are affected by the sandbox vulnerability, CVE-2015-3269. The flaw affects all apps that use the managed app configuration settings, meaning that Apple is storing enterprise credentials in a directory that can be read by everyone.

“IT will commonly send the credential and authentication information along with the managed app binary for installation on corporate mobile devices [which] often included access to the corporate data security jewels, including server URLs, and credentials with plaintext passwords,”.

“The underlying issue with our critical sandbox violation discovery is that … anyone can also see the credential information on the mobile device as it is stored world readable.” said Watkins.

“An attacker could target as many enterprises it can get into (using the iTunes store to spread an app designed to read and share the configuration files), or a specific target (traditional spear-phishing attack, through targeted e-mail, etc). In either case, they would develop an app that has a high chance of being installed in the enterprise, such as a productivity app. Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker. Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question.”

“An attacker (or a malicious app) with access to an MDM managed device can read all managed configuration settings for an unpatched device. Managed configuration is used to make the provisioning of apps easier and enterprise apps may use this mechanism to provision credentials or details about internal infrastructure this way. Those can be used by the attacker to gain access to those services.”

Corporate app data are more exposed, the expert highlighted the risk of a cyber attack that can allow hackers to steal information stored in an open directory (including mobile device management).

The tests conducted by Watkins revealed that medical apps used by doctors were leaking patient data, user names, passwords, authentication tokens.

“We also found apps used in the healthcare industry, giving doctors access to patient data and records (a likely HIPAA violation).” continues Watkins.

The analysis of the managed settings used by these apps revealed:

• Close to half (47%) referenced credentials, including username, password and authentication tokens.
• 67% referenced server identification information.

The good news is that Apple patched the CVE-2015-3269 sandbox vulnerability with the release iOS 8.4.1, but yet many people are running older iOS versions. It has been estimated that around 70% of users still have older iOS versions and still taking some months until iOS 8.4.1 is fully spread.

Please keep in mind the following recommendations to avoid these type of problems:

• Not using this mechanism to provision secret / confidential data
• Credentials and other secrets should always be stored using the device keychain
• A possible way to provision this data would be to use url schemes
• Use iOS single-sign-on profiles if possible

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Pierluigi Paganini

(Security Affairs – sandbox vulnerability, Apple iOS)