Apple's iOS operating system faces another major security risk with the discovery of SideStepper, an attack that opens enterprise devices to data theft and malicious apps.
Check Point Security described the vulnerability in a white paper, saying that corporate devices using Mobile Device Management (MDM) tools are at risk.
SideStepper takes advantage of an apparent loophole in iOS 9 that allows attackers to install malicious apps on enterprise employees’ iPhones and iPads while pilfering the information stored on the devices.
"The flaw enables threat actors to stage a man-in-the-middle attack that hijacks communications between managed iOS devices and MDM solutions," said Check Point.
"This exploit could give threat actors control of devices, the data that resides on them, and even enterprise services, potentially affecting millions of iOS users worldwide whose devices are managed by an MDM."
The problem affects only those using MDM solutions, Check Point explained, as this process allows IT teams to install apps onto employees' devices that are not reviewed, approved or hosted by Apple.
"iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses. In fact, an app installed by an MDM will not show any indication of its origin," Check Point said. "Apple gives apps installed using MDMs a free pass from heightened security measures."
Check Point notified Apple about the attack in October last year. The firm apparently responded in November saying that the behaviour demonstrated by the research team “is expected”.
Apple gave a less vague statement to The Verge: "This is a clear example of a phishing attack that attempts to trick the user into installing a configuration profile and then installing an app.
"This is not an iOS vulnerability. We've built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we’ve put in place before they choose to download and install untrusted content."
Earlier this month Palo Alto Networks uncovered AceDeceiver, an iOS malware threat that targets non-jailbroken iDevices via a flaw in Apple's DRM mechanism. The security firm was also the first to uncover WireLurker, described as the biggest iOS security threat to date.
To hear more about security challenges, the threats they pose and how to combat them, sign up for V3 sister site Computing's Enterprise Security and Risk Management conference taking place on 24 November.
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...
Are you on the list?
Update will limit background activities of apps to improve battery life (hello, Skype!)