How to SideStep Malicious Enterprise Apps

Written by: Shane Taylor, CEO, Mobliciti

Back in January I wrote about the growing vulnerability of Apple devices and my frustration that this still isn’t something that is taken seriously.

There’s been a long standing belief that if you have an Apple product, be it a MacBook, iPad or iPhone then you are safe from malicious attack. That may have been a case a few years ago but along with advancements in technology, the cybercriminals have also ‘advanced’ in their skillset.

Since then, my colleagues at Check Point have gone a step further and clearly outlined how devices enrolled with a Mobile Device Management (MDM) solution are vulnerable to a SideStepper attack.

Tricking users

Nicknamed SideStepper, the attack bypasses security protocols in order to install malware on the device. It targets iOS devices used in enterprise environments (so only those with an MDM solution). These devices usually need custom apps that link with private data servers so they’re not available on Apple’s App Store. To enable installation of custom apps Apple issues enterprise certificates which the company then uses to sign these apps. This is where the SideStepper vulnerability lies.

Under normal circumstances on iOS 9, anyone who downloads an ‘enterprise’ app on their device will be prompted to go through a series of setting screens to verify the developer before enabling the app to work. However, in the interests of efficiency and improved workflow, MDM solutions bypass these crucial security measures. In fact, Check Point’s report explains that iOS instinctively trusts any app installed by an MDM solution. This leaves users in a very vulnerable position and may unwittingly be leaving their employer open to a cyber-attack.

How can I prevent an attack?

First things first, you need to acknowledge that there is a clear and present danger. As I’ve outlined in the past, the time for complacency has gone. Cybercriminals are savvy and have upped their game.

  • Contact your IT, Mobility or Security team and ask them if they are aware of SideStepper and ask what are they doing to prevent a malicious attack?
  • Be diligent and triple check any app installation request before installing.
  • Do some research on mobile security threat prevention – if your organisation hasn’t tackled this growing risk to business then encourage them to take it seriously NOW!

The key message is if your organisation has invested in Firewalls and anti-virus software then isn’t it about time it invested in securing its Mobile devices?

As ‘Mobile-first’ experts, the team at Mobliciti have been bordering on evangelical when it comes to mobile security threat prevention. Over the years we have built on our expertise, acquired a vast network of partners (who are all as evangelical as us when it comes going ‘Mobile-first’) and we’ve helped many organisations implement a ‘Mobile-first’ strategy safely and securely.

Our partnership with Check Point empowers us to provide our clients with peace of mind, that they can roll out MDM knowing that their devices are safe from attack. If getting to grips with MDM is proving a challenge or you would like to find out how we can help you implement a ‘Mobile-first’ strategy without the headache.