Apple’s iOS Vulnerability Disclosed by Mi3 Security

Apple has not fixed a vulnerability which could allow attackers to replace regular apps with rogue versions without the user’s knowledge. Chilik Tamir from security vendor Mi3 Security disclosed the malicious software at the Hack in the Box conference in Amsterdam last week and has been told by Cupertino that it is working on a patch, although so far none has been forthcoming, according to reports. Tamir demoed a similar attack at Black Hat Asia at the end of March. Using a self-built tool dubbed ‘Su-A-Cyder’ he showed how an attacker could replace legitimate apps developed with Xcode7 – an iOS IDE. Anyone can apparently get an Xcode7 developer’s certificate as long as they can produce an email address and Apple ID. If the malicious replacement app has the same bundle ID as the original it could be downloaded onto a victim’s device – allowing an attacker to carry out a potentially wide range of malicious activities without the user's knowledge Apple’s iOS 8.3 release blocked this attack route by preventing any app upgrades if the files don’t match. However, in Amsterdam last week, Tamir apparently showed a way to circumvent this mitigation with SandJacking – a new technique in which an attacker with access to a victim’s device initiates a back-up, then deletes the original app, before loading the malicious replacement and restoring the device from back-up. The new malicious app will require manual approval by the user but this is likely to be given as it will look identical to the original. Which mitigation tactics should CISOs and consumers alike take against this vulnerability? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/