grandeduc - Fotolia
Attackers with physical access to an unlocked iPhone can use a SandJacking technique to replace a legitimate app with a malicious version of it, which can access sandboxed data from the phone. I read that Apple addressed the issue with a patch, but that the SandJacking technique may have been altered. What's the latest on this technique, and what's the best way to mitigate it?
Once a security researcher or attacker has physical access to a device's hardware and sufficient resources, he will be able to bypass the security on a system. This is what happens in the SandJacking attack -- Chilik Tamir, chief architect of research and development at mobile security firm Mi3 Security, gave a presentation at the Hack In The Box security conference where he was able to load malware on an iPhone without jailbreaking it.
A SandJacking attack can be performed on an unlocked iPhone using a rogue application, a developer certificate for signing the rogue application and a computer. The rogue version of an application would be signed by the developer certificate to replace the legitimate application when the iPhone is connected to the computer. The malicious application would reuse the bundle ID of a legitimate application and other details to make itself look like the legitimate application and give it access to the data in the application sandbox. Tamir also developed a toolkit to automate the attack, but withheld the toolkit until a patch is released by Apple. Apple had patched an earlier version of the SandJacking attack, but Tamir updated the attack to exploit a weakness in how the restore application functionality on iOS worked.
Since there isn't a patch for the current SandJacking attack, enterprises and individuals will need to be diligent about who has physical possession of their iPhones, because anyone with physical possession and the PIN could use this attack. If your enterprise is concerned about this and other attacks from third-party repair companies, it could back up the device's data and do a factory reset to the default OS prior to having it repaired, to ensure no unauthorized access to enterprise data. Stating the obvious, once a patch is available, it should be installed on vulnerable devices.
Find out how a malicious app bypassed the Google Play store security
Learn how expired domains present a way for malicious activity on mobile devices
Read about the best iOS app development tools
Dig Deeper on Threats and vulnerabilities
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading