New iOS Vulnerability ‘Quicksand’ puts Enterprise Managed Devices at Risk

quicksand_peril__part_two_by_alyxcaptor

A new enterprise vulnerability called Quicksand has been found in the iOS Sandbox that affects third party applications. This means that all enterprise apps installed on your employee’s devices are susceptible to hacks and potentially expose sensitive corporate data.

The Appthority Enterprise Mobility Team uncovered this violation and determined that it impacts all iOS users who have mobile device management (MDM) applications on their phones.

“The violation impacts all MDM clients as well as any mobile apps distributed via an MDM that use the Managed App Configuration setting to configure and store private settings and information,” said the report by Appthority.  “In order to ‘auto-fill’ account setup for the MDM client and MDM-distributed apps, IT will commonly send the credential and authentication information along with the managed app binary for installation on corporate mobile devices. We found this information often included access to the ‘corporate data security jewels’, including server url’s, credentials with plaintext passwords, etc. The end goal with this practice is a more streamlined user experience, where the user can gain virtually instant access to their corporate apps (and corporate data) without having to enter long strings of authentication credentials.”

The biggest risk factor for this security gap is that anyone can see your corporate data through your employee’s credentials. They gain this access through other apps installed on the device; quicksand allows apps to read each other’s data when installed on the same device, making your corporate data just as vulnerable as any other third party app despite all of the security measures you’ve taken.

This is particularly concerning for enterprise because developers could create rogue apps that are virtually undetectable. Not only could this be devastating to your files, but it could also get you in a lot of trouble, depending on what industry you’re in. For example, in the medical field Appthority found that apps in the healthcare field could potentially leak private patient information, getting your company in a lot of trouble.

Most MDM vendors have fixed this app, but the problem still lies with updates. If your employee hasn’t updated their iOS device in the past month, they are still vulnerable to this security gap.