Threat Category: Enterprise Mobility
Threat Description: The EMM application on the device may improperly validate X.509 certificates, which can allow attackers to perform man in the middle attacks using a crafted certificate.
The Security of MDM Systems1
As part of the decision process when choosing to deploy an EMM solution that uses an on-device agent app, verify with the suite vendor that the agent app properly validates the digital certificate of the EMM server for any communication session.
Consider choosing on-device agent apps that have certified against the most recent NIAP protection profile for MDM agents, as this provides a measure of assurance that the agent properly validates digital certificates.
To mitigate the risk of a MiTM attack on remote agent-server communications (for on-premises deployments) due to improper certificate validation by the agent, use mobile OS-provided VPN features to first establish a secure connection to the enterprise network.
S. Andrivet, The Security of MDM systems, presented at Hack In Paris, 20 June 2013; https://hackinparis.com/data/slides/2013/MDM-HIP_2013.pdf [accessed 8/23/2016] ↩