On October 4, 2015 Palo Alto researchers published an article detailing a malware attack on non-jailbroken devices. The full article can be read here.
To summarize, the malware takes advantage of private APIs and tricks to hide the malicious applications from the end user to deliver content to a command and control server. These applications can be installed using both enterprise distribution certificates or through Apple’s app store.
Per Palo Alto, “the malware primarily affects iOS users in mainland China and Taiwan” and has been in the wild for approximately 10 months.
“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”
Good is unaware of any specific attack against Good applications but customers are advised to upgrade to the latest generally available version of iOS, as of this writing 9.0.2.
As a security company, Good Technology takes the security of our products and the security of our customers very seriously.
As with many software companies, we occasionally get approaches from security researchers who have founds issues in our products and who wish to discuss them. We have a process in place for getting back to researchers, working with them to assess the issues, identifying immediate mitigations and longer-term fixes, notifying customers and rolling out updates. In general most researchers work well with this process and once we have fixes in place they put out their disclosure statements. Sadly, not all researchers are so cooperative.
Recently the security research group ModZero put out a disclosure of an issue regarding the way that Android's lack of authentication of application IDs interacts with Good's "Easy Activation" feature. They did so without disclosing the issue to us in advance and in their release they accused Good of being uncooperative. Good strongly denies the assertion that we were uncooperative and we would like to put forward the facts and set the record straight.
Over the last three years ModZero have raised two issues regarding Good products. The first time was in June 2013 when, as part of a penetration test that they performed on behalf of one of our customers, they discovered a cross-site scripting issue in one of our consoles. At the time they said that they would like to disclose the issue and our security team asked if they would hold off any disclosure an additional 45 to 60 days in order to ensure that not only had we released the fix but that our customers would have the opportunity to deploy the update. Our security team also noted they were concerned that since the work was performed on behalf of a customer and the customer was subject to an NDA that they would need permission to disclose.
The second interaction Good had with ModZero was on September 9th this year, when they contacted Good indicating that they had discovered another issue but provided no detail. They asked us if we wanted them to (a) abide by their "Responsible Disclosure" policy, (b) just release the issue or (c) do nothing. We replied the same day offering "our security experts will be more than happy to either discuss newly discovered vulnerabilities with your Team over the phone or review the report of findings should you decide to share it with us (which will be very much appreciated)." They replied the following day saying "Ok," further asking if we were OK with them releasing the details of the previous issue and asking when the previous issue had been fixed. That same day we replied that we were happy for them to release the details of the XSS bug. We also provided details of the release in which it was fixed, a link to the latest version of the effected software so that they could test it and closed "Let me know if you have any other questions."
ModZero never replied to this email. Instead, two weeks later, they released the details of their recent findings without any prior disclosure of the details to us and they accused Good of being uncooperative. We do not believe that this is in any way a fair assessment.
ModZero did not follow their own "Responsible Disclosure" policy. They ignored offers by Good to discuss their findings with us and they went ahead and released the details before we had any chance to assess the issue. At all times we were responsive to their requests and the implication that we were uncooperative is without foundation.
Last week, after they released these findings and wrote a blog post about Good not being cooperative, I emailed Max Moser, one of the founders and author of some of the messages in the discussion thread, asking him what he thought was uncooperative and what he would have liked us to do differently. I have still not had a reply.
As I mentioned before, we take the security of our products and of our customers very seriously. We do our best to cooperate fully with researchers who bring issues to our attention. Sadly, some of them are quite uncooperative.
Customers are advised that the underlying issue disclosed by the researcher is not unique to Good. The vulnerability relies on tricking users into installing malicious android applications. These applications could be designed to appear as official versions of other generally available commercial apps.
The vulnerability described uses the Good Dynamic Easy Activation feature (https://community.good.com/docs/DOC-3115). To be clear, the publication from the researcher does not describe a weakness in the Easy Activation itself. The example provided suggests tricking the user into downloading and installing a malicious version of Good application.
In summarizing the steps needed for the attack to work the user would need to:
Download a malicious android application. Good recommends only downloading applications published in the Google Play store. Further Good recommends that the applications installed are published by Good Technology or one of our official ISV partners. A list of these partners can be found here.
The end user would then have to click the Easy Activation button and select the Good For Enterprise (GFE) app as the activation delegate. It is important to note that, by design, the Easy Activation flow does not involve validating of the application ID (i.e. Good Dynamics ID or GDID) because the role of the Delegate app (GFE in this case) is only to provide the provisioning key to the requesting application. The provisioning key can be issued to any application that is built with the GD SDK.
The user must then enter his GFE credentials to complete the activation of the malicious application. After obtaining the provisioning key, the malicious application will make an attempt to authenticate and register itself in the GC (Good Control). The provisioning would only succeed if the above mention GDID has been entitled in the GC database by an IT Admin.
It should be noted that the issue identified does not impact devices running Good apps on the Samsung KNOX platform since this platform deploys additional controls to prevent the execution of untrusted applications.
Good is reviewing the technical details of the issue reported by the security researcher and is exploring possible solutions. We will update this advisory should we decide to implement a fix or provide additional mitigating controls to the customers.
While Good continues to review and improve, we recommend following these steps for better protection:
Educate users to only install applications from trusted and reputable application repositories. This can include Google Play or internally developed applications that should be from an internal enterprise application store.
Publish a list of enterprise applications and links to those applications that are approved and allowed in the enterprise.
Good has reviewed the technical details of this issue and we have identified a potential enhancement to the validation checks in the GD application activation process that may enable us to detect malicious activation attempts. If successful, this enhancement will be made available in the next release.
Meanwhile, customers are advised to ensure all users are warned against installing any applications that are from untrusted sources.