Pierluigi Paganini April 01, 2016

SideStepper is a method to install malicious apps on iOS devices by abusing the mobile device management (MDM) solutions.

Security researchers from the Check Point firm have devised a method to install a malicious code on iOS devices by abusing the mobile device management (MDM) solutions used by many enterprises.

The technique relies on a vulnerability dubbed by the experts SideStepper, but that Apple considers it as a normal behavior.

“SideStepper is a vulnerability that allows an attacker to circumvent security enhancements in iOS 9 meant to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” state the blog post published by Check Point.

Apple allows enterprises to distribute internally-used apps through a Developer Enterprise Program instead passing through the App Store. In order to install the apps, enterprises need to use certificates signed by Apple.

The program allows organizations to install internal apps on employee devices using enterprise certificates signed by Apple.

However, hackers have abused in several circumstances of digital certificates so Apple introduced new security enhancements in iOS 9.

“These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” States the CheckPoint firm.

MDM solutions are used by enterprises to easily manage mobile devices used by employees. MDM allows the easy management of any aspect of the mobile devices, including installing apps, deployment of security policies, and remotely wipe phones.

Experts at CheckPoint firm highlighted that threat actors can launch a man-in-the-middle (MitM) attack against the MDM solution to allow the installation of malicious enterprise apps over-the-air, this is possible because Apple gives apps installed using MDMs the possibility to bypass security measures.

Malicious MDM-distributed apps can be abused by using the following process:

1. Install a malicious iOS configuration profile. This is a native way to distribute a set of configuration settings like networking, security settings, root CAs, and more. A threat actor can craft a configuration profile that will install a root CA and route traffic through a VPN or a proxy to a malicious server, and then initiate a MitM attack. This configuration could be deployed using phishing attack.
2. Set up a remote enterprise app server to serve the malicious app.
3. Wait for a command to be sent to an iOS device by an MDM: then, using a MitM attack, intercept and replace the command with a request to install a malicious app. The iOS device will fetch from the remote enterprise app server and install it.
4. Execute commands using the malicious enterprise app which, because of the method used to install it, does not require explicit user trust. This means that users will not be able to distinguish between a legitimate enterprise app, an App Store app, or a bogus app installed by a threat actor.

Basically, the attackers could intercept the command sent by the MDM to the devices and replace it with a request to install a malicious app. The operation doesn’t need user’s interaction making hard to discover the attack.

The SideStepper technique could be used to infect Apple devices and control them with a malicious code.

CheckPoint suggests enterprises to carefully assess the risk of malicious applications on mobile devices.

Experts from CheckPoint will present the SideStepper method at the Black Hat Asia conference Today.

Pierluigi Paganini

Security Affairs –  (SideStepper, Apple iOS)