Apple comments on Sidestepper, that supposed iOS MDM hijack security vulnerability...

News
By last updated

Reports are circulating about a supposedly new iOS security vulnerability that involves a mobile device management (MDM) "hijack". Apple provided iMore with the following comment:

"This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile and then installing an app," an Apple spokesperson told iMore. "This is not an iOS vulnerability. We've built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we've put in place before they choose to download and install untrusted content."

From what I've seen, and based on my understanding of what's going on, Apple is correct. This looks like a traditional phishing/social engineering attack that attempts to trick someone into installing malware. And to do it successfully, that somone has to tap through multiple screens, ignore iOS' unverified developer warning and all common security best-practices, and confirm the installation.

In other words, it's like telling a bank manager you're the exterminator and getting them to let you into the vault, then claiming the lock is vulnerable to picking. It's no such thing. The person is vulnerable, and that's always the case in any system involving humans.

There's an argument to be made that Apple should warn people again before app launching any enterprise apps installed this way. That's part of the constant struggle between convenience and security, where some will complain if there are not enough warnings and others if there are too many. If you tell someone there's a free game or adult content or something else they know is dodgy but still want, however, they'll blow through three or four warnings almost as quickly as two. Because, people.

Again, there's nothing new or novel about any of this that I can see. Phishing and social engineering attacks are something we've been warning people about for years and years. It's like getting an email asking you to verify your iCloud or Gmail login, your credit card or Amazon account details.

It's why we always tell people never to click or tap on links in an email and to only ever download apps from a trusted source like the App Store.

In this specific case, it appears to be even less of a concern for most people, since it's targeting people already using MDM, which is by no means the majority of iPhone or iPad users.

So, as always, stay informed but also stay critical. Don't let researchers or reporters steal your attention through fear-mongering. More often than not, that's the real malware.

iOS

HomeKit

iOS 14 Review
What's new in iOS 14
Updating your iPhone ultimate guide
iOS Help Guide
iOS Discussion

Rene Ritchie
Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

Latest in Security
iPhone 15 Plus review
Recent Apple iPhone spyware alerts could have been triggered by China-linked attacks, researchers say
Google One VPN on iPhone
Google is about to give iPhone owners a privacy and security headache as it prepares to shut down another key service
iCloud Keychain on iPad
I can finally use iCloud Keychain and ditch 1Password thanks to this key new feature
At home with 15-inch MacBook Air, on a mosaic balcony table and on a wooden floor.
Old-school Mac malware is hiding in plain sight in this productivity app
M2 Macbook Pro 13 Inch Hero
Researcher claims a key Mac security feature can be bypassed and Apple won't fix it
macOS Ventura Passkeys
The apple.com website adds passkey support, but there's a catch
Latest in News
iMore Logo
One more thing… Goodbye from iMore
Jony Ive
Jony Ive’s OpenAI hardware device could be his next world-changing design
NEBULA Cosmos 4K SE with Apple TV
This new 4K projector is tempting me to replace my LG C2 TV, just so I can watch Slow Horses on a 200-inch display
VisionOS 2 app reorganization
visionOS 2 is the first major software update for Apple Vision Pro, and now it's available
macOS Sequoia
macOS Sequoia (version 15) is now available for your Mac with some big upgrades
watchOS 11
watchOS 11 is now rolling out to all Apple Watch users with the Series 6 or newer
More about security
iPhone 15 Plus review

Recent Apple iPhone spyware alerts could have been triggered by China-linked attacks, researchers say
Google One VPN on iPhone

Google is about to give iPhone owners a privacy and security headache as it prepares to shut down another key service
iMore Logo

One more thing… Goodbye from iMore
See more latest