0

I've learned that it's possible to inject new configuration to MDM managed application using MDM so that the managed app configuration changes that are pushed down from an MDM server appear in NSUSerDefaults.

Then I can add an observer to be notified of any changes occurs in NSUserDefaults.

The app configuration will be stored in the following key:com.apple.configuration.managed A usage example can be look like this :

if let managedConf = UserDefaults.standard.object(forKey: "com.apple.configuration.managed") as? [String:Any?] {
    if let serverURL = managedConf["serverURL"] as? String{
        return serverURL
    }
}

However, what prevent another entity from modifying the configuration outside the MDM... as I understand NSUserDefaults are writable even from terminal so there's no limitation to just push new configuration which are unauthorized.

an example of changing configuration can be:

managedConf["serverURL"] = "BAD_SERVER_NAME"
let defaults = UserDefaults.standard
defaults.set(managedConf, forKey: "com.apple.configuration.managed")

Perhaps it's only possible for writing the application's userDefault from within the application ?

Improve this question
6
  • In general only the app itself can write to its sandboxed user defaults. Any attack via the terminal would require a USB connection to the device (which is protected by the device passcode) and/or the device to be jailbroken. These require physical access to the device and the device passcode. A general position in information security is that you cannot completely secure a device that is in the physical possession of someone else. However, the likelihood of an attack on the user defaults for your app would seem to be low. At the very least it would be a highly targeted attack Commented Dec 17, 2023 at 22:25
  • thanks for you response ! I wonder what would be the case if I wanted to port my application to macOS which doesn't need to be jailbroken to enable writing to application userdefaults outside the application ... I thought managed devices can prevent such attacks even for privilege users. Commented Dec 18, 2023 at 5:00
  • While an attack is easier on macOS it would still probably require physical access to the device. The path to the user defaults file would be randomised, so it would be a highly targeted attack that was written to find the specific file and change the value. As with everything in security you need to assess the value of what is being protected, how much effort an attacker is going to go to (which is typically proportional to the value) and the cost (which may not be purely financial) of mitigation. Commented Dec 18, 2023 at 6:23
  • In this instance it may well be a simpler attack to poison the device DNS to change the resolved IP address of the server than to change the config file. Commented Dec 18, 2023 at 6:24
  • perhaps do you know where userDefaults data of an application is stored ... it's persistent data, so I presume it's backed in some file, but which one ? if I know the file, i'd be able to protect this file or at least monitor write access. Thanks! Commented Dec 18, 2023 at 8:10
Related questions
3
iOS MDM payload managed app configuration, observer not working
26
Using MDM To Configure An Enterprise App Via NSUserDefaults
1
iOS Managed App Config and device enrollment
Load 4 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.