Security bod Kevin Watkins says Apple is storing enterprise credentials in a readable-by-anybody directory that is ripe for data theft.
The sandbox vulnerability (CVE-2015-3269) affects all apps that use the managed app configuration setting in devices that have not applied the most recent iOS 8.4.1 update.
Watkins says sensitive enterprise data is exposed when IT issues autofill corporate credentials to managed devices to simplify login processes.
"IT will commonly send the credential and authentication information along with the managed app binary for installation on corporate mobile devices [which] often included access to the corporate data security jewels, including server URLs, and credentials with plaintext passwords," Watkins says.
"The underlying issue with our critical sandbox violation discovery is that … anyone can also see the credential information on the mobile device as it is stored world readable.
"An attacker could target as many enterprises it can get into using the iTunes store to spread an app designed to read and share the configuration files, or a specific target through traditional spear-phishing attacks."
Corporate apps are the most affected of those from where data can leak into the open directory. These include mobile device management, those tapping email and business documents, and secure web browser apps for enterprise networks.
Those tests revealed medical apps used by doctors to access patient data are also affected.
Watkins finds about half of affected apps leaked usernames, passwords, and authentication tokens, while more than two thirds referenced server identification information.
While Cupertino has patched the hole, some 70 percent of Apple mobile users run outdated iOS versions even "several months" after a fix is released, making the vulnerability ripe pickings for thieves.
Watkins recommends says attackers will be well served designing a productivity app in a bid to lure corporate staff to install it on their vulnerable handsets where it can continuously monitor the world-readable directory for credentials to be shipped off to a remote server.
Such an app can hide in plain sight since many legitimate apps have access to the directory.
The security bod suggests credentials should only be stored in the device keychain and iOS single sign-on should be used where possible. ®