Companies have the opportunity of using their own app-stores to provide their staff with the proper apps. Using this system, in which the official App Store from Apple is not used, there is a dangerous security flaw. However, Apple and security experts still deny this.
Normally, Apple’s security measures prevent an attacker from planting apps into other people’s iPhones. Every application uploaded to Apple’s official App Store gets tested for security flaws and other threats, and is then released. For companies, Apple also provides a method for apps that aren’t designed for the community and, through Mobile Device Management (MDM), these apps can be installed on the staff’s devices. In this system, a possibly serious security flaw was found, which security provider Check Point has given the name „Sidestepper“. But what does that actually mean?
Sidestepper allows an attacker to bypass Apple’s security measures and install any apps they want on company iPhones. What Check Point found is that it is possible to send a user a manipulated MDM configuration through E-mail, phishing SMS, or iMessage on their iPhone. If the user falls for it and installs the MDM configuration on their iPhone, the attacker can plant any apps they want on the phone, steal important data or documents, secretly take screenshots and record any input. Additionally, they can watch and spy out all data traffic on the device, Check Point warns. Just like a classic Man-in-the-Middle-attack (MITM) in which an attacker intercepts external communications, listens to or even changes them.
According to Check Point, the installed apps can then remove other security functions and, for example, root the iPhone and tap into the microphone as well as the camera. Even an outburst of the isolated App-Sandbox, says the security provider in a white paper, which can be downloaded after a short registration. Sidestepper assumes, above all, that the user makes a few mistakes: first, clicking on the link in the phishing message. Then they have to disregard the warning message when the manipulated MDM configuration is installed. After that, the attacker attempts to plant an app, and with just a developer certificate more, can gain root privileges, break out of the app sandbox, displaying further iOS messages which should actually make the user suspicious. Apple has therefore taken the side that this is not a vulnerability in Sidestepper. Apple says the procedures used are safe, and don’t need to be adjusted. iOS trusts these orders, because the user themselves gave them. Private iPhone users are likewise not affected by Sidestepper, because they get their apps directly from Apple’s App Store and their phones don’t support any separate MDM configuration.
Security expert Mark Zimmerman views the commotion about Sidestepper as fear mongering in an article for Computerwoche, stating that the exploited mechanism of Sidestepper is an iOS function, which is protected by a user query. So the problem lies less on the side of Apple, he says, and more on the side of the users who are too trusting and ignore warning messages more and more. Zimmerman finds that more of these messages don’t make much sense, because they’re not taken seriously by many users anymore. His advice to companies and users is as follows: „Inform yourself, stay skeptical and keep a clear head.“
Next to education of the user, modern security tech like two-factor-authentication is very well suited for protecting company data against an attacker. Hardware-tokens like CosmoKey are integrated in established data protection guidelines and don’t save any personal information. Administrators keep full control of the device, data and the integration at all times.