iOS is supposed to be a secure environment where only certified code can run. That’s why Apple uses its app review to scrutinize each and every app before it makes it onto the App Store. However, there are other paths to distribute apps to iOS devices without going through Apple’s review.
The first is using developer certificates. Each user is entitled to one developer certificate which can be used to test apps on a real iOS device. The second and more common way is by using enterprise certificates. Apple created the Developer Enterprise Program so businesses could develop and deploy their own apps for internal use. These apps can be distributed quickly and directly to devices, enabling enterprises to develop apps that meet their own business requirements without publishing them on the App Store. In this way, enterprises can avoid a lengthy review process and, more importantly, keep these apps out of the hands of non-employees.
While both paths can be used legitimately, they also have risks. Cyber criminals can use enterprise certificates to:
- Abuse public APIs: Apple makes APIs available for developer use, and during the review process, Apple makes sure that apps use APIs only for their expressed purpose. But an enterprise app can abuse public APIs to gain extended capabilities, such as the VOIP API which can be abused in order to run an app in the background silently and constantly.
- Abuse private APIs: These APIs are internal Apple APIs, and Apple forbids developers from using these in order to protect users’ sensitive data. However, since enterprise apps do not pass through Apple’s review, developers can abuse them freely. Using these APIs, enterprise apps can access installed apps and sensitive information Apple tries to protect.
- Exploit iOS: Apps signed with enterprise certificates can be used to exploit iOS by jailbreaking it. In this scenario, apps can do virtually anything their creator wants, like controlling both the device and the user’s information.
There are only two lines of defense Apple places against these abuses. The first is in order to get an enterprise certificate a developer must register with Apple. The second line of defense is user trust. To allow an enterprise app to run on a device, the user must first change settings on the device to trust the enterprise developer’s certificate explicitly. This isn’t a great way to protect devices since most users don’t understand the ins and outs of granting explicit trust to a developer.
Both developer and enterprise apps are abused on a regular basis. Third-party app stores such as vShare, 25PP, Kuaiyong, 7659, and others abuse certificates as a distribution method. These third-party app stores register as an enterprise with Apple to enter the program and to obtain an enterprise certificate. They use the certificate to install apps on their customers’ devices, claiming they are “staff” members.
Developer and enterprise certificates are abused for malicious purposes as well. Many malwares have made use of these certificates to infiltrate devices. Among these is the infamous Masque attack from 2014 which was also used by the Hacking Team, WireLurker, YiSpecter and more recently ZergHelper.
These abuses aren’t a minor phenomenon. One Check Point customer, a Fortune 100 company, found that among the 5,000 devices it manages, 318 unique enterprise apps installed. Most of the certificates used to sign these apps belonged to developers with little or no information about their reputation. More than 70% of these enterprise apps originated in China and other Asian countries. If only one of these 318 apps is malicious, all of the company’s data will be compromised.
Apple has taken some protective measures in iOS 9 to mitigate this security breach in their ecosystem. However, Check Point researchers have found a way to side-step these security measures. The research team will present this proof of concept at BlackHat Asia 2016 in Singapore on April 1!
Check Point Mobile Threat Prevention
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.