Sandbox bug in Apple’s iOS affects MDM systems

A sandbox vulnerability in Apple’s iOS operating system that affects mobile device management clients and certain mobile apps distributed via an MDM has been patched, but CISOs still have to be wary of devices trying to access their networks that haven’t been updated.

Appthority, which makes  a mobile application threat identification solution, described the vulnerability — which it calls Quicksand — earlier this week.

Not only are MDM clients vulnerable if the iOS device isn’t patched, so are mobile apps distributed through an MDM that use the “Managed App Configuration” setting to configure and store private settings and information. That’s because to “auto-fill” account setup for the MDM client and MDM-distributed apps, IT will commonly send the credential and authentication information along with the managed app binary for installation on corporate mobile devices, Appthority says.

The goal may be to give users virtually instant access to their corporate apps (and corporate data) without having to enter long strings of authentication credentials, but the information sent often included access to the internal server URLs, credentials with plaintext passwords and more, the company said.

“The underlying issue with our critical sandbox violation discovery is that not only can a mobile app (or the MDM vendor app itself) have access to this sensitive set-up and authentication information stored on the device, but anyone (or any other app on the device) can also see the credential information on the mobile device as it is stored ‘world readable,’” says Appthority.

Apple [Nasdaq: AAPL] fixed the problem with iOS 8.4.1, released Aug. 12, but infosec pros have to ensure their MDM solutions block devices that haven’t been upgraded. Even on devices that are patched,  Appthority warns, a device may already compromised; if so no amount of sandboxing will protect the data stored.

“An attacker could target as many enterprises it can get into (using the iTunes store to spread an app designed to read and share the configuration files), or a specific target (traditional spear-phishing attack, through targeted e-mail, etc),” warns Appthority. “In either case, they would develop an app that has a high chance of being installed in the enterprise, such as a productivity app. Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker. Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question.”

How big a problem could it be? Appthority says a search of its collection of iOS apps on managed enterprise devices that could be vulnerabile and found close to half (47%) referenced credentials, including username, password and authentication tokens, and 67 per cent referenced server identification information in their managed settings.

If possible, Appthority recommends IT not use “Managed App Configuration” setting to configure and store private settings and information. Instead credentials and other secrets should always be stored using the device keychain.  A possible way to provision this data would be to use url schemes, it adds. Finally it says iOS single-sign-on profiles should be used if possible.

Separately, yesterday Apple pushed out a new version of QuickTime for Windows that patched nine vulnerabilities, including a handful reported Aug. 13 by Cisco Talos and Fortinet researchers, reports ThreatPost.  The QuickTime update comes a week after a giant patch update for Mac OS X, OS X Server and iOS that addressed dozens of vulnerabilities, including a critical privilege escalation issue in the DYLD dynamic linker that was disclosed a month earlier.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web