Until the long-awaited Apple iOS version 13.5, a second vulnerability has now been discovered within a short space of time, which potentially allows apps to escape from the sandbox that was thought to be secure. This can lead to apps accessing the entire file system with read and write permissions. In conjunction with other vulnerabilities, this can even mean that root or even kernel rights are abused. A simple XML comment with incorrectly defined syntax in a plist file already triggers the use of this vulnerability. If the manipulated app is started, all desired authorizations (entitlements) are simply passed through the XML parser.
iOS sideload danger for companies
It can be assumed that apps that have already been tampered with have also made it through Apple’s approval process into the public App Store. The recently known bug is particularly problematic in the context of app sideloading and the use of iPhones and iPads in companies. agilimo consulting GmbH refers to our following best practice approaches, which we recommend to your company.
Sandbox hack – protection through UEM / MDM
The sideloading of apps can be prevented in device management (UEM/MDM) if the apps have been signed with an Apple ID. However, apps that have been signed with enterprise certificates can still be installed, i.e. only apps and updates from trusted sources should be provided via UEM/MDM mechanisms. Disabling “allowEnterpriseAppTrust” could help your organization to reduce the impact right now. Attention: This does not prevent the sideloading of enterprise applications from the Enterprise App Store.
Recommendation for action from agilimo consulting GmbH:
- Until the release of iOS 13.5, only transfer apps and updates from trusted sources via UEM/MDM.
- Installation of sideloading tool AltStore to check whether an app requests extended authorizations.
- Activate “allowEnterpriseAppTrust” in UEM/MDM.
If you need direct support, please contact us via the following contact options: ? info@agilimo.de ?+49 (0) 6028-94013-0
Sources: Andreas Kurtz on Twitter, Siguza | Related articles: iOS zero-day hack in Apple Mail
