iOS Vulnerability Exposes Mobile Enterprise Credentials
There’s a new iOS vulnerability that may affect enterprises that use mobile device management (MDM) applications and clients, potentially exposing sensitive configuration settings, credentials, server information and more.
Mobile security provider Appthority’s security research team discovered that user credentials were stored in an unprotected directory by MDMs on iOS, meaning other mobile apps could potentially see and steal this information.
Appthority worked with the Apple Security Team to ensure a fix for this vulnerability was included in the latest 8.4.1. iOS update - so if you haven’t already, be sure to update your software.
While many enterprise organizations may install an MDM client on users’ personal phones to manage and control access to corporate data, it can also become a security risk, not to mention a privacy concern for employees’ personal data.
As Appthority stated, once corporate IT signs up a new employee for an MDM account and installs the client on their mobile device, configuration settings, credentials and corporate apps are sent to their mobile device. Those managed configuration settings can be accessed by any other app with just a bit of code, as they are not limited to a corresponding app, but rather, all applications on one device.
After a survey of their own global app collection on enterprise devices, Appthority found that nearly half (47 percent) of the managed settings on corporate apps referenced credentials such as usernames, passwords and authentication tokens.
Although this vulnerability (dubbed Quicksand, as it is a sandbox violation) has been patched, Appthority notes that nearly 70 percent of iOS devices aren’t updated to the latest version of iOS. That means many of your employees may be vulnerable to credential-stealing attacks, putting your company’s data at risk.
Visibility & Control - Without Installing a Client
Another way to gather information about the types of devices authenticating into your corporate environment is by using a security solution that doesn’t require the use of an installed client. One example is Duo Security’s Device Insight, a dashboard that tracks the following metrics on your users’ mobile devices:
- Device, operating system (OS), platform and model types - useful for tracking any outdated versions that may be vulnerable
- Full disk encryption, passcode, touch ID, screen lock and jailbroken status - also useful for tracking any out-of-compliance devices
With a quick visual overview of your devices, you can find out which users and devices could potentially put your entire organization at risk of leaking sensitive company data or credentials.
For complete assurance, you can also set up a control that only allows a minimum OS version to authenticate into your environment which may reduce the amount of risk a user’s device introduces into your corporate network, and incentivize users to update their software more frequently in order to avoid workflow disruptions.
Using Duo’s Policy and Controls, you can apply this kind of control either globally to all of your users, or by user group (created and customized by your administrators). Learn more about Duo Access and how you can better manage mobile device security.