sb-nz logo
Story image

iOS vulnerability targets corporate data

Appthority, the mobile app risk management and data security company, has identified a critical iOS ‘Quicksand’ vulnerability that enables malicious apps to harvest enterprise credentials.

The security flaw in the iOS mobile operating system impacts all iPhone, iPod touch, iPad devices running iOS 7 and later.

‘Quicksand’ is a sandbox security vulnerability that enables a malicious mobile app, or a bad actor who gains access to a physical device, to read other installed mobile apps' managed preferences. This gives cybercriminals the ability to harvest credentials and exfiltrate other sensitive corporate data.

Apple has fixed the vulnerability in the most recent iOS 8.4.1 security update.

However, according to Appthority, many enterprises remain at-risk due to mobile devices running outdated iOS versions without the security patch, and Mobile Device Management (MDM) as well as Enterprise Mobility Management (EMM) solutions which are not using best practices in regard to credential storage protocol.

According to Appthority research, an estimated 70% of enterprise Apple devices are still running an outdated iOS version.

Therefore, even with the recent release of iOS 8.4.1, the Quicksand vulnerability will continue to be an enterprise security risk.

In addition, many enterprises rely on MDM and EMM solutions as their core mobile security layer protecting them from data loss and leakage, but most MDM and EMM solutions are currently impacted by this vulnerability and are thus exposing credentials and other sensitive data, says Appthority.

To minimise fallout, the company recommends all enterprises ensure both corporate and employee owned devices are running the most current iOS version.

"Since the recent Apple security patch only covers devices running iOS 8.4.1 or later, it's critically important that MDM and EMM vendors update their apps as soon as possible to follow best practices when it comes to storage of credentials and sensitive data," says Kevin Watkins, Appthority co-founder and mobile threat lead.

Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Link image
The importance of data resilience in the current cybersecurity climate
Protecting an organisation's data is one of the most crucial functions of any CISO. Strategies should be in place where data is stored securely and cost-effectively.More
Story image
How cyber-attackers use Microsoft 365 tools to steal data
Vectra security research has recently identified how cyber-attackers use Microsoft Office 365 tools against organisations to steal data and take over accounts.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More