Demystifying iOS Enterprise Certificates

In light of recent events, we’re taking a look at iOS Enterprise certificates from a mobile security perspective. By examining the WireLurker case, we see that Apple’s framework for enabling companies to create and distribute apps intended for in-house use only has been the root of a serious security issues.

What exactly are enterprise certificates and who are they for?

For $99, any developer can build Apple apps then install them on their own devices for testing before submitting them the App Store for sale. Each developer account is allowed to install their apps on a limited number devices for development and testing.

The iOS Developer Enterprise Program relaxes limits on the number and identity of devices. For just $299, companies can develop and distribute apps intended for internal use only since most companies wouldn’t want proprietary, in-house apps on the App Store.

How does this expose enterprises to risk?

Once an app is signed with a certificate, it’s considered validated by Apple and can run on any iOS device. Using enterprise certificates to install apps that haven’t been truly validated by Apple, or to install malicious surveillance software surreptitiously on a device isn’t a new technique.

In fact, it is a practical attack vector that we have written extensively about in the past:

  • The Original Pangu Jailbreak tool for iOS 7.1: Pangu was the first jailbreak tool that was able to run remotely as an app. Pangu developers bypassed Apple’s control and managed to leverage Apple’s restrictions for their purposes by using an Enterprise Certificate.
  • WireLurker – A new advanced malware that affects both iOS and OSX devices: To install itself on iOS devices that aren’t jailbroken, WireLurker installs predefined malicious apps signed by an enterprise certificate. In this instance, the certificate is known to be comprised, and is used by other non-App Store apps like one called Moviebox. These compromised apps send information from the device that includes the device identifier.

What can enterprises do to reduce exposure?

It’s becoming more common for threat actors to push enterprise certificate-signed iOS apps, making third-party marketplaces are even more dangerous. So first and foremost, stress the importance of installing apps only from the Apple App Store or from your enterprise app store. As well, employees should be told to avoid opening suspicious links or installing unknown apps from potentially untrusted sources.

How can Lacoon help alleviate the concern?

Apple does not allow you to restrict the installation of enterprise certificate-signed apps, and only asks for permission upon installation. With Lacoon Mobile Security, enterprises can identify non-Apple validated apps installed using enterprise certificates but that are not approved by the enterprise. It can also detect and alert when someone installs apps signed using compromised certificates on mobile devices.