SideStepper: Bypassing the iOS Gatekeeper to Attack iPhone and iPad Devices

Check Point disclosed details about SideStepper, a vulnerability that can be used to install malicious enterprise apps on iPhone and iPad devices enrolled with a mobile device management (MDM) solution. The Check Point mobile research team presented details about this vulnerability at Black Hat Asia 2016 in Singapore on April 1, 2016.

Click here to download the report.

What is SideStepper?
SideStepper is a vulnerability that allows an attacker to circumvent security enhancements in iOS 9 meant to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.

However, enterprise apps installed using an MDM are exempt from these new security enhancements. An attacker can hijack and imitate trusted MDM commands on an iOS device, including over-the-air installation of apps signed with enterprise developer certificates. This exemption allows an attacker to side-step Apple’s solution meant to thwart installation of malicious enterprise apps.

How are iPhone and iPad devices exposed to this vulnerability?
First, an attacker convinces a user to install a malicious configuration profile on a device by using a phishing attack. This simple and often effective attack method uses messaging platforms like SMS, instant messaging, or email to trick users into clicking a malicious link.

Once installed, this malicious profile allows an attacker to stage a Man-in-the-Middle (MitM) attack on the communication between the device and an MDM solution. The attacker can then hijack and imitate MDM commands that iOS trusts, including the ability to install enterprise apps over-the-air.

What iOS devices are at risk?
The vulnerability potentially impacts millions of iPhone or iPad devices enrolled with an MDM solution. The Check Point mobile research team will demonstrate this vulnerability at Black Hat Asia 2016 using an iPhone running iOS 9.2.

How would I know if my iPhone or iPad is under attack?
Without an advanced mobile threat detection and mitigation solution on the iOS device, there is little chance a user would suspect any malicious behavior had taken place. On a managed iOS device commands from an MDM are trusted, and because these commands appear to the user as coming from the MDM that already manages the device, the entire process seems authentic.

What’s the risk if an attacker exploits the vulnerability on my device?
There are a number of MDM commands an attacker could use to exploit the vulnerability ranging from nuisances to data exfiltration. The research team will demonstrate at Black Hat Asia, how an attacker can install malicious apps that may include a broad range of functionality.

Since iOS trust these apps, and because the installation process is familiar to the user, infection is seamless and immediate. This vulnerability puts the user, the security of sensitive information on the device, and voice conversations in proximity to the device at significant risk. Malicious apps can be designed to:

  • Capture screenshots, including screenshots captured inside secure containers
  • Record keystrokes, exposing login credentials of personal and business apps and sites to theft
  • Save and send sensitive information like documents and pictures to an attacker’s remote server
  • Control sensors like the camera and microphone remotely, allowing an attacker to view and capture sounds and images

How can I protect myself from this vulnerability?
Check Point recommends taking several steps to mitigate the risk:

  • Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats.
  • Examine carefully any app installation request before accepting it to make sure it’s legitimate.
  • Contact your mobility, IT, or security team for more information about how it secures managed devices.
  • Use a personal mobile security solution that monitors your iOS device for any malicious behavior.

Where can I learn more about SideStepper?
The Check Point mobile threat research team has compiled a report that includes a detailed analysis of how attackers can exploit the SideStepper vulnerability on iOS devices.

Click here to download the report.

Where can I learn more about Check Point mobile security solutions?
Visit for more information.