Apple iOS 'Quicksand' flaw enables enterprise data theft

Researchers have discovered a flaw in the app isolation "sandbox" of Apple's iOS mobile operating system that could allow enterprise-managed iOS devices to accidentally leak credential and configuration data to third-party applications.

Security firm Appthority published details of the vulnerability - dubbed "Quicksand" - this week after alerting Apple.

The problem stems from a permissions issue within the managed application configuration system, which was introduced with iOS 7.

It is intended to allow enterprises to more easily administer iOS devices, offering a built-in mechanism for distributing and storing application configuration data.

The system was designed to only provide access to the data to the applications that need it, but Appthority discovered that any app installed on the Apple device would in fact be able to read the files.

The flaw would allow malicious actors to extract the data by creating a legitimate app with a high chance of being downloaded by the target user, distributed in the App Store.

"Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker," the firm wrote.

"Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question."

Appthority said the impact to a business would depend on the kind of information an enterprise was provisioning using managed configurations.

It said it searched millions of apps currently running on enterprise-managed devices and narrowed it down to those with a dependency on managed configurations.

The firm found most were mobile device management clients, apps allowing access to work email and documents, or secure apps allowing access into enterprise networks.

When studying the managed settings of the applications, Appthority said it found 47 percent referenced username, password and authentication tokens among other credentials, and 67 percent referenced server identification information.

Appthority said they worked with Apple's security team after discovering the vulnerability, and the hole was patched in the recent iOS 8.4.1 update.

However, according to the firm, as many as 70 percent of enterprise iOS devices are currently not yet running the latest version of iOS, even several months after an update.

"Since the recent Apple security patch only covers devices running iOS 8.4.1 or later, it's critically important that MDM and EMM vendors update their apps as soon as possible to follow best practices when it comes to storage of credentials and sensitive data," Appthority mobile threat lead Kevin Watkins said in a statement.

For those who are unable to update their devices, Appthority suggested avoiding storing sensitive data in the managed app configuration system.

Admins could use other means, lik custom URL schemes, to provision data after an app is installed, the firm said.