From some years ago, almost everybody use mobile devices and mobile Internet access in a daily basis. Nowadays, most corporates allow using smartphones or tablets in order to access to corporate resources such as email or even corporate critical information. Definitely, mobility is in fashion.
Since now mobile devices handle highly critical information, they’re not just phones anymore. Now lots of well-known threats affect these devices and even some new ones.
As a response, some software firms have developed a kind of security software called Mobile Device Management (MDM). This software controls and protects the device by applying security policies on it. For instance, a MDM could block software installation, in order to avoid the device being infected by a user’s misuse.
However, this kind of software rarely can install new features in the mobile operating system, so they often use security features that they already have, but they make easier setup and deployment. For instance, MDMs on iOS usually relies on the Apple Configuration Profiles feature. In addition, these profiles are configured in order to block uninstalls.
That’s fine! It’s true that a user can’t uninstall a profile if “uninstall” button doesn’t exists in the interface, but an advanced user with an access such as SSH (on a Jailbreaked device, of course) can change this profiles in a different way. A configuration profile is stored as an XML file with .stub extension, in the following directory: /private/var/mobile/Library/ConfigurationProfiles/
These XML files, created by MDM software, are easily readable and most of parameters can be changed without any integrity control:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<string>Configures security-related items.</string>
<string>XXXXXX - Configure.passcode</string>
<string>XXXXXX - Configure</string>
<string>Payload Count: 1</string>
All the restrictions about the device use can be bypassed by editing this file. For instance, we can change the “ProfileWasLocked” key and set it up to “false”. Now, something in the user interface must change:
These changes sometimes disappear when a change in a configuration profile is applied, since these files are overwritten. But… what if we just don’t allow this overwrite?
# chmod -w -R /private/var/mobile/Library/ConfigurationProfiles
Of course, Jailbreaking your iOS is mandatory for all these techniques, so MDM software usually try to detect and block jailbreaked devices. Sadly, they mostly use a too easy approach such as looking for an installed application called Cydia, which is the most common alternative “App Store”. As a consequence, you can bypass this kind of jailbreak detection easily, just by renaming an application or making other similar changes.
Summarizing, Mobile Devices should be protected since they sometimes handle highly critical information, but most security software (such as MDM) is not as useful as it should. Be careful when designing and deploying your Mobile Device protections, choose a proper software provider and set it up in detail. If not, it can turn in a waste of time and money.
Dept. ACSS S21sec
Twitter / Blog