Security bod Kevin Watkins says Apple is storing enterprise credentials in a readable-by-anybody directory that is ripe for data theft.
The sandbox vulnerability (CVE-2015-3269) affects all apps that use the managed app configuration setting in devices that have not applied the most recent iOS 8.4.1 update.
Watkins says sensitive enterprise data is exposed when IT issues autofill corporate credentials to managed devices to simplify login processes.
“IT will commonly send the credential and authentication information along with the managed app binary for installation on corporate mobile devices [which] often included access to the corporate data security jewels, including server URLs, and credentials with plaintext passwords,” Watkins says.
“The underlying issue with our critical sandbox violation discovery is that … anyone can also see the credential information on the mobile device as it is stored world readable.
View full story