Subvert Trust Controls: Code Signing Policy Modification

Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device.

Mobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including Input Injection or malicious configuration profiles.

ID: T1632.001
Sub-technique of:  T1632
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: STA-7
Version: 1.1
Created: 30 March 2022
Last Modified: 16 March 2023

Procedure Examples

ID Name Description
S0505 Desert Scorpion

If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1]

S0420 Dvmap

Dvmap can enable installation of apps from unknown sources.[2]

S0551 GoldenEagle

GoldenEagle has modified or configured proxy information.[3]

S0485 Mandrake

Mandrake can enable app installation from unknown sources.[4]

S0549 SilkBean

SilkBean has attempted to trick users into enabling installation of applications from unknown sources.[3]

S1056 TianySpy

TianySpy can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.[5]

G0112 Windshift

Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.[6]

S0490 XLoader for iOS

XLoader for iOS has been installed via a malicious configuration profile.[7]

S0311 YiSpecter

YiSpecter has used fake Verisign and Symantec certificates to bypass malware detection systems. YiSpecter has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.[8]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.

M1006 Use Recent OS Version

Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.[9][10]

M1011 User Guidance

Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).

Detection

ID Data Source Data Component Detects
DS0042 User Interface System Settings

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

References