Attackers with physical access to an unlocked iPhone can use a SandJacking technique to replace a legitimate app...
with a malicious version of it, which can access sandboxed data from the phone. I read that Apple addressed the issue with a patch, but that the SandJacking technique may have been altered. What's the latest on this technique, and what's the best way to mitigate it?
Once a security researcher or attacker has physical access to a device's hardware and sufficient resources, he will be able to bypass the security on a system. This is what happens in the SandJacking attack -- Chilik Tamir, chief architect of research and development at mobile security firm Mi3 Security, gave a presentation at the Hack In The Box security conference where he was able to load malware on an iPhone without jailbreaking it.
A SandJacking attack can be performed on an unlocked iPhone using a rogue application, a developer certificate for signing the rogue application and a computer. The rogue version of an application would be signed by the developer certificate to replace the legitimate application when the iPhone is connected to the computer. The malicious application would reuse the bundle ID of a legitimate application and other details to make itself look like the legitimate application and give it access to the data in the application sandbox. Tamir also developed a toolkit to automate the attack, but withheld the toolkit until a patch is released by Apple. Apple had patched an earlier version of the SandJacking attack, but Tamir updated the attack to exploit a weakness in how the restore application functionality on iOS worked.
Since there isn't a patch for the current SandJacking attack, enterprises and individuals will need to be diligent about who has physical possession of their iPhones, because anyone with physical possession and the PIN could use this attack. If your enterprise is concerned about this and other attacks from third-party repair companies, it could back up the device's data and do a factory reset to the default OS prior to having it repaired, to ensure no unauthorized access to enterprise data. Stating the obvious, once a patch is available, it should be installed on vulnerable devices.
Find out how a malicious app bypassed the Google Play store security
Learn how expired domains present a way for malicious activity on mobile devices
Read about the best iOS app development tools
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
The Zealot campaign discovered by F5 Networks uses the same Apache Struts vulnerability exploited in the Equifax breach. Learn how else it performs ... Continue Reading
Facebook Messenger is being used to reach more victims with a cryptojacking bot that Trend Micro researchers named Digimine. Learn how this bot works... Continue Reading
Spider ransomware has been found spreading malicious files via a phishing campaign that gives victims a 96-hour deadline. Learn how this attack is ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.