Skip to main content

Apple comments on Sidestepper, that supposed iOS MDM hijack security vulnerability...

Reports are circulating about a supposedly new iOS security vulnerability that involves a mobile device management (MDM) "hijack". Apple provided iMore with the following comment:

"This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile and then installing an app," an Apple spokesperson told iMore. "This is not an iOS vulnerability. We've built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we've put in place before they choose to download and install untrusted content."

From what I've seen, and based on my understanding of what's going on, Apple is correct. This looks like a traditional phishing/social engineering attack that attempts to trick someone into installing malware. And to do it successfully, that somone has to tap through multiple screens, ignore iOS' unverified developer warning and all common security best-practices, and confirm the installation.

In other words, it's like telling a bank manager you're the exterminator and getting them to let you into the vault, then claiming the lock is vulnerable to picking. It's no such thing. The person is vulnerable, and that's always the case in any system involving humans.

There's an argument to be made that Apple should warn people again before app launching any enterprise apps installed this way. That's part of the constant struggle between convenience and security, where some will complain if there are not enough warnings and others if there are too many. If you tell someone there's a free game or adult content or something else they know is dodgy but still want, however, they'll blow through three or four warnings almost as quickly as two. Because, people.

Again, there's nothing new or novel about any of this that I can see. Phishing and social engineering attacks are something we've been warning people about for years and years. It's like getting an email asking you to verify your iCloud or Gmail login, your credit card or Amazon account details.

It's why we always tell people never to click or tap on links in an email and to only ever download apps from a trusted source like the App Store.

In this specific case, it appears to be even less of a concern for most people, since it's targeting people already using MDM, which is by no means the majority of iPhone or iPad users.

So, as always, stay informed but also stay critical. Don't let researchers or reporters steal your attention through fear-mongering. More often than not, that's the real malware.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

2 Comments
  • Is this how AirShou installs work?
  • Basically, yes. A lot of apps and even entire third-party stores exploiting enterprise developer certificates seem to suggest similar installation steps (even for unjailbroken iOS devices). It busually involves going to their website and tapping on an install icon, which basically installs the equivalent of a web-app (same as putting DuckDuckGo on your Home Screen, for example) on your device. From there, the funky stuff starts. You tap the icon, get a big "Untrusted Enterprise Developer" pop-up, ignore it and go to Settings > General > Profile to "Trust" the developer anyway. After that you launch the app again to download whatever juju you were after. The most prominent example currently out there (outside the enterprise sector) is probably the vShare app store.