Obtain Apple iOS enterprise distribution key pair and certificate

From pre-attack
Jump to: navigation, search


Obtain Apple iOS enterprise distribution key pair and certificate
Technique
ID PRE-T1169
Tactic Persona Development

Definition

The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected).1234

Difficulty for the Adversary

Easy for the Adversary (Yes/No): No

Explanation: Apple requires a DUNS number, corporate documentation, and $299 to obtain an enterprise distribution certificate. Additionally, Apple revokes certificates if they discover malicious use. However, the enrollment information could be falsified to Apple by an adversary, or an adversary could steal an existing enterprise distribution certificate (and the corresponding private key) from a business that already possesses one.

Detection

Detectable by Common Defenses (Yes/No/Partial): Partial

Explanation: Starting in iOS 9, Apple has changed the user interface when installing apps to better indicate to users the potential implications of installing apps signed by an enterprise distribution key rather than from Apple's App Store and to make it more difficult for users to inadvertently install these apps. Additionally, enterprise management controls are available that can be imposed to prevent installing these apps. Also, enterprise mobility management / mobile device management (EMM/MDM) systems can be used to scan for the presence of undesired apps on enterprise mobile devices.