Story image

iOS vulnerability targets corporate data

24 Aug 2015

Appthority, the mobile app risk management and data security company, has identified a critical iOS ‘Quicksand’ vulnerability that enables malicious apps to harvest enterprise credentials.

The security flaw in the iOS mobile operating system impacts all iPhone, iPod touch, iPad devices running iOS 7 and later.

‘Quicksand’ is a sandbox security vulnerability that enables a malicious mobile app, or a bad actor who gains access to a physical device, to read other installed mobile apps' managed preferences. This gives cybercriminals the ability to harvest credentials and exfiltrate other sensitive corporate data.

Apple has fixed the vulnerability in the most recent iOS 8.4.1 security update.

However, according to Appthority, many enterprises remain at-risk due to mobile devices running outdated iOS versions without the security patch, and Mobile Device Management (MDM) as well as Enterprise Mobility Management (EMM) solutions which are not using best practices in regard to credential storage protocol.

According to Appthority research, an estimated 70% of enterprise Apple devices are still running an outdated iOS version.

Therefore, even with the recent release of iOS 8.4.1, the Quicksand vulnerability will continue to be an enterprise security risk.

In addition, many enterprises rely on MDM and EMM solutions as their core mobile security layer protecting them from data loss and leakage, but most MDM and EMM solutions are currently impacted by this vulnerability and are thus exposing credentials and other sensitive data, says Appthority.

To minimise fallout, the company recommends all enterprises ensure both corporate and employee owned devices are running the most current iOS version.

"Since the recent Apple security patch only covers devices running iOS 8.4.1 or later, it's critically important that MDM and EMM vendors update their apps as soon as possible to follow best practices when it comes to storage of credentials and sensitive data," says Kevin Watkins, Appthority co-founder and mobile threat lead.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.