What exactly are enterprise certificates and who are they for?For $99, any developer can build Apple apps then install them on their own devices for testing before submitting them the App Store for sale. Each developer account is allowed to install their apps on a limited number devices for development and testing. The iOS Developer Enterprise Program relaxes limits on the number and identity of devices. For just $299, companies can develop and distribute apps intended for internal use only since most companies wouldn’t want proprietary, in-house apps on the App Store.
How does this expose enterprises to risk?Once an app is signed with a certificate, it’s considered validated by Apple and can run on any iOS device. Using enterprise certificates to install apps that haven’t been truly validated by Apple, or to install malicious surveillance software surreptitiously on a device isn’t a new technique. Although it does enable companies to distribute their own apps, it also opens the door to everything else. Apple’s response to the original Masque Attack threat was to claim that “… only users who turned off Apple’s own security controls on iOS would be vulnerable”. However, due to the fact that the security controls are essentially a dialog box that pops up asking a user if they agree to trust an enterprise provisioning certificate – this doesn’t provide much reassurance to enterprises. In fact, it is a practical attack vector that has actually been used several times in the past:
- The Original Pangu Jailbreak tool for iOS 7.1: Pangu was the first jailbreak tool that was able to run remotely as an app. Pangu developers bypassed Apple’s control and managed to leverage Apple’s restrictions for their purposes by using an Enterprise Certificate.
- WireLurker – As mentioned above, this is a relatively new advanced malware that affects both iOS and OSX devices: To install itself on iOS devices that aren’t jailbroken, WireLurker installs predefined malicious apps signed by an enterprise certificate. In this instance, the certificate is known to be comprised, and is used by other semi-illegal non-App Store apps such as Moviebox. These compromised apps can do anything from merely extracting basic information to installing full on malware.
- Masque Attack II - A brand new attack that is also based on the family of vulnerabilities known as Masque Attack. Without going into too much details, this attack is based on URL Scheme (iOS’s system for inter-app communication) Hijacking. With Masque II, attackers can completely bypass the "Do you trust this developer" screen, which is displayed the first time the user opens an app signed by an enterprise certificate – rendering Apple’s safety claims obsolete.
What can enterprises do to reduce exposure?It’s becoming more common for threat actors to push enterprise certificate-signed iOS apps, making third-party marketplaces are even more dangerous. So first and foremost, stress the importance of installing apps only from the Apple App Store or from your enterprise app store. As well, employees should be told to avoid opening suspicious links or installing unknown apps from potentially untrusted sources. About the Author: Yonni Shelmerdine is the lead Mobile Security Trends Analyst at Lacoon Mobile Security. Yonni brings five years of experience in Datacom & GSM network security analysis from an elite unit in Israel’s Intelligence Corps. Yonni heads the analysis of mobile attack trends where he researches new attack vectors and identifies major mobile malware attack patterns. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.