Among the many new features in iOS 9, Apple introduced a critical adjustment enterprises should note: a change in sideloading applications that we think is a serious win for security.
Sideloading is the act of downloading an app to a device, in this case an iOS device, without going through the official App Store. Many people don’t realize it, but you can download apps via links or websites on iPhones and iPads as long as they are signed by an iOS enterprise developer certificate. These certificates are given to companies for the purpose of distributing apps easily to their own employee’s devices. However, you can use these certificates issued from Apple to install an app on any iOS device.
While enterprises often use this as a method for distributing homegrown apps, malicious actors also use sideloading (via enterprise certs in many cases bought on the black market), to distribute their malware. Wirelurker, Hacking Team’s iOS malware, and XAgent are all examples of malware that use this kind of distribution.
When sideloading, a person must first trust the developer associated with an app. In previous iOS versions, sideloading an app meant approving, on the spot, that you wanted to trust the developer. It was a two step process:
First, after clicking on a link in an email or on a website, a dialogue box would appear asking the person if they wanted to install the app at hand:
After clicking “install,” the app would download to the phone. When the person then clicked on the newly downloaded app’s icon, a second dialogue box would note that this app is from an untrusted developer and ask whether or not to trust that developer:
This was very easy to click through in order to get to the desired app. Now, however, users aren’t even given the option to trust the developer. Instead, they must intentionally go to settings in order to trust a developer. Here’s the new flow:
It starts off similarly, with a query on installing the app:
Then, once the app has downloaded and a person goes to launch the app, they are notified that this is not a trusted developer and that they will not be able to use the app. The only option is to “dismiss” the notification. If no action is taken from there, this is the dialogue they’ll see each time they try to open the app.
A person can, however, trust developers via the device’s settings. They go to settings, then click on General and then Profiles and are given a list of untrusted certificates.
After clicking on one of the certs, the user is given the option to “trust.”
After clicking trust, the cert is then remembered by the phone as trusted, and the user can launch the app.
Enterprises that distribute homegrown apps will be happy to know that apps pushed through MDM will be automatically trusted and employees will not have to follow these steps.
Complication is good in this case
This is a significantly more complicated flow, which will weed out many of the people who will download apps without much caution, but it doesn’t negate the fact that it only takes one weak link to compromise the network. We anticipate that apps using enterprise certs to distribute via sideloading will also include walk-throughs on how to complete this process.
There are plenty of reasons people might download apps from outside of the app store as well. Pirated media, such as videos and music, is an example of this.
On the whole, we believe this is an excellent change, and are excited to see companies thinking of security by design.