ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER presented at BlackHatAsia 2016

by Ohad Bobrov, Avi Bashan,

Summary : A critical component of Apple's security model is how the App Store serves as gatekeeper for all code on iOS devices. This makes Apple's Developer Enterprise Program its achilles heel, allowing enterprises to bypass the store's code validation process and deploy their own apps directly to devices.
In recent years we have witnessed a rise in usage of iOS Enterprise apps. This fact is especially alarming when considering how these certificates can be easily used for illegitimate purposes by anyone from known state-actor spies like Hacking Team (RCS) to Chinese app piracy stores.
Apple has tried to mitigate these issues in iOS 9 by introducing new features like requiring user intervention in order to use enterprise signed apps, but are these measures enough? We'll demonstrate, using zero-day novel attack, how to leverage new security features in iOS 9 to install a malicious enterprise app on a user's phone.
In this session, we will give an overview on how enterprise-signed apps have been used to attack iOS devices and examples of usages discovered in the wild. We'll share real world statistics about the prevalence of Enterprise apps installed on iOS devices and show which enterprise apps are the most popular. In addition we'll reveal our zero day vulnerability.