Last week's release of iOS 8.4.1 brought more than just Apple Music fixes — it also patched a previously undisclosed hole in the app sandbox that made it possible for iOS devices operating in managed environments to unknowingly leak configuration and credential data to other third-party apps.
Dubbed "Quicksand" by its discoverers at security firm Appthority, the vulnerability stemmed from a permissions issue in the managed app configuration system. This system — Â introduced with iOS 7 — makes it easier for enterprises to administer iOS devices by providing a built-in mechanism for distributing and storing customized app configuration data, such as server URLs and corporate network information.
For example, a network administrator could pre-load a configuration file for an enterprise messaging app that includes the company's hosted server URL and access token. Once installed, the app could read that file and automatically configure itself without user intervention.
While the system was designed to limit access to those files to the apps for which they're intended, Appthority found that the files were actually readable by any app installed on the device.
This meant that attackers could exfiltrate the configuration data — Â which often includes sensitive access credentials or other secret company information — Â by creating a legitimate app, distributed through the App Store, that was designed to read the configuration files from other popular enterprise apps and then phone home.
Appthority worked with Apple to patch the problem in iOS 8.4.1, but the security firm says that as many as 70 percent of enterprise iOS devices are not updated for months after a new iOS version is released. For corporate administrators who are unable to update iOS, Appthority recommends that they reconsider storing sensitive data in the managed app configuration system and use other means — Â such as custom URL schemes — Â to provision the data after app installation.