It affects all mobile device management (MDM) clients, and any mobile applications distributed by an MDM that use the “Managed App Configuration” setting for private data.
When a new iOS device is to be added to a company’s network that uses a mobile management system, it’s first given an MDM account and a client application. Appthority found that the sensitive information for setting this up (often including server urls, passwords, and so on) is stored in a “world readable” location, which means that anyone or any of the device’s apps can see it.
An attacker could potentially create a rogue app, perhaps masquerading as a productivity tool to increase the chances of it getting installed, and then distribute the attack by means of the iTunes store or “spear fishing” email attacks.
Even worse, this app would be hard to spot, since the managed configurations are stored in a world readable location, meaning that all of the apps would have access to it, allowing the rogue app to blend in with legitimate applications.
Appthority has worked directly with Apple’s Security Team on the patch, which was included in iOS 8.4.1, the latest update. However, Appthority say that up to 70% of iOS users aren’t running the latest version, even months after an update’s been released – leaving these users vulnerable to the flaw.
Among the affected apps, 47% included credentials, such as passwords, usernames, and authentication tokens. 67% included identification details for servers.
The mobile security company has been working on best practices for sensitive data, along with their MDM partners.
Appthority recommends: “Storing any credentials or authentication tokens on the mobile device filesystem should be avoided.”
They also point out the possibility that patched devices could already have been compromised. In which case: “…no amount of sandboxing will protect the data stored on the iOS device. If this option is unavoidable, we recommend:
1. Not using this mechanism to provision secret / confidential data
2. Credentials and other secrets should always be stored using the device keychain
3. A possible way to provision this data would be to use url schemes
4. Use iOS single-sign-on profiles if possible.”