A security expert has identified a new iOS attack method called SandJacking which allows criminals with physical access to the device to load malicious apps.
SandJacking Is yet Another Problem to iOS Security
The security researcher Michael Cobb has discovered a new iOS attack technique known as SandJacking that uses a certificate flaw in Xcode allowing malicious users to load apps onto the victim devices.
Apple requires all applications to be distributed via the official App Store to ensure that they are free of malware. The company uses automated solutions to safeguard the code. Each program is reviewed to ensure that it performs well and to ensure that it is reliable. The installed applications on the mobile devices are also run in a sandbox environment, which limits other processes from accessing it and its data. Furthermore, each app has to be signed with an Apple Developer ID certificate which is issued only to members of Apple’s Developer Program. To register to it, the individuals have to go through a verification process.
Before iOS 8.3 a possible attack scenario was to replace a legitimate program with a rogue version by assigning the malicious app a similar identified, also known as a bundle ID. When the original version is overwritten, the system would prevent the installation of an app that has a similar ID. This does not provide any safeguard mechanism during the restore process.
A researcher from Mi3 Security Chillik Tamir has demonstrated how an attacker with access to an unlocked iPhone device can create a backup, delete a legitimate app, install a rogue version and then restore the backup.
The SandJacking attack works on non-jailbroken iPhones and gives criminals access to the sandbox data of the apps that the rogue versions replace. The requirement is that the malicious version has to be signed. The malicious users can use unvalidated certificates simply by providing an Apple ID. The rogue apps can be distributed via sideloading or unofficial stores to avoid Apple’s application review process and store restrictions.
The attack allows attackers to take full control of the compromised device. Possible infection scenarios can include phone repair services, law enforcement agency use or family members.