Story image

iOS vulnerability targets corporate data

24 Aug 15

Appthority, the mobile app risk management and data security company, has identified a critical iOS ‘Quicksand’ vulnerability that enables malicious apps to harvest enterprise credentials.

The security flaw in the iOS mobile operating system impacts all iPhone, iPod touch, iPad devices running iOS 7 and later.

‘Quicksand’ is a sandbox security vulnerability that enables a malicious mobile app, or a bad actor who gains access to a physical device, to read other installed mobile apps' managed preferences. This gives cybercriminals the ability to harvest credentials and exfiltrate other sensitive corporate data.

Apple has fixed the vulnerability in the most recent iOS 8.4.1 security update.

However, according to Appthority, many enterprises remain at-risk due to mobile devices running outdated iOS versions without the security patch, and Mobile Device Management (MDM) as well as Enterprise Mobility Management (EMM) solutions which are not using best practices in regard to credential storage protocol.

According to Appthority research, an estimated 70% of enterprise Apple devices are still running an outdated iOS version.

Therefore, even with the recent release of iOS 8.4.1, the Quicksand vulnerability will continue to be an enterprise security risk.

In addition, many enterprises rely on MDM and EMM solutions as their core mobile security layer protecting them from data loss and leakage, but most MDM and EMM solutions are currently impacted by this vulnerability and are thus exposing credentials and other sensitive data, says Appthority.

To minimise fallout, the company recommends all enterprises ensure both corporate and employee owned devices are running the most current iOS version.

"Since the recent Apple security patch only covers devices running iOS 8.4.1 or later, it's critically important that MDM and EMM vendors update their apps as soon as possible to follow best practices when it comes to storage of credentials and sensitive data," says Kevin Watkins, Appthority co-founder and mobile threat lead.

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Kiwis concerned about being scammed – survey
This unease is warranted given the growing sophistication of scammers and their activities, and numbers of attempted fraud.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Interview: Aruba’s NZ country manager talks channel strategy
“What we're taking to market is that message around simplification and having everything in one place.”
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.