Preparing Workspace ONE SDK and Wrapped Apps for iOS 13 OpenURL Changes

Overview

Based on testing done with iOS 13 betas, a change has been introduced by iOS involving parameters returned during the OpenURL process between applications from different developer accounts. This directly affects the communication mechanism between the Workspace ONE SDK and Workspace ONE Intelligent Hub or the Workspace ONE Legacy application. An updated version of the Workspace ONE SDK (Swift) for iOS, Workspace ONE SDK (Objective-C) for iOS, and the App Wrapping Engine along with the above mentioned apps will be provided to support iOS 13 devices. Without these necessary updates, apps running on iOS 13 devices in the above scenarios will not be able to perform first-time setup or single sign-on workflows with Workspace ONE Intelligent Hub or the Workspace ONE app.

 

Customer Impact

Customers who build their apps using Workspace ONE SDK (Swift) for iOS, Workspace ONE SDK (Objective-C), and VMware AirWatch app wrapping for devices using iOS 13 will be impacted by this change.

Required Action

  • Customers building apps with the legacy Workspace ONE (Objective-C) on iOS 13 devices enrolled with Workspace ONE Intelligent Hub will need to update to upcoming releases of Workspace ONE Intelligent Hub for iOS and Workspace ONE SDK (Objective-C) for iOS.
  • Customers building apps with the Workspace ONE SDK (Swift) for iOS on iOS 13 devices enrolled with Workspace ONE Intelligent Hub will need to update to an upcoming Workspace ONE Intelligent Hub for iOS. Workspace ONE SDK (Swift) for iOS update is not required in this case to maintain functionality, though an update may be required if the security consideration mentioned below is a concern.
  • Customers building apps with the Workspace ONE SDK (Swift) for iOS on iOS 13 devices enrolled with Workspace ONE Legacy application will need to update to an upcoming version of the Workspace ONE for iOS app and Workspace ONE SDK (Swift) for iOS.
  • Customers using wrapped applications running on iOS 13 devices will need to re-wrap their applications with an upcoming version of the VMware AirWatch App Wrapping Engine. Expected deployment for the upcoming release is in the September time frame.
  • The OpenURL changes in iOS 13 indirectly introduces a new security gap which needs to be considered. Customers will also need to weigh the risk of this new security implication against the desired user experience on iOS 13 devices to determine if a mitigation option needs to be taken. (See the section below regarding security considerations).

Security Consideration

Workspace ONE SDK (Objective-C) for iOS for iOS and wrapped apps have a workflow where the Workspace ONE SDK or wrapped app can retrieve an authentication token along with user credentials from Workspace ONE Intelligent Hub via the iOS OpenURL mechanism for single sign-on purposes. Before the Workspace ONE Intelligent Hub app returns the credentials back to the requesting Workspace ONE SDK or wrapped app, Workspace ONE Intelligent Hub will validate the bundle identifier of the requesting Workspace ONE SDK app to ensure it matches a legitimate Workspace ONE SDK app. By combining this Workspace ONE Intelligent Hub validation mechanism with MDM device restrictions to prevent devices from trusting unmanaged enterprise apps, users were protected against malicious applications pretending to be Workspace ONE SDK apps.
Starting in iOS 13, the operating system will no longer provide the bundle identifier of the requesting Workspace ONE SDK application to Workspace ONE Intelligent Hub thus restricting the Workspace ONE Intelligent Hub from performing the validation to ensure the incoming request is from a legitimate Workspace ONE SDK application. The lack of this validation creates a new avenue for malicious applications to mask themselves as an Workspace ONE SDK or wrapped app. For example, if an opportunistic attacker makes a iOS 13 user install a malicious app from the App Store, and if the malicious app has knowledge of the Workspace ONE SDK's OpenURL protocol, the app could appear to be a legitimate Workspace ONE SDK application and retrieve the user's login credentials from the Workspace ONE Intelligent Hub app.

Security Mitigation Options

  • If possible, update your Workspace ONE SDK (Objective-C) for iOS apps to use the Workspace ONE SDK (Swift) for iOS. The Workspace ONE SDK (Swift) for iOS does not utilize the OpenURL mechanism for single sign-on purposes. Instead, the first Workspace ONE SDK (Swift) for iOS app installed on the device requires the user to login, and then subsequent Workspace ONE SDK apps which are sharing the same keychain will be logged in automatically.
  • If the device is MDM enrolled, uncheck the option in MDM profile restriction for Allow user to trust unmanaged enterprise apps. This restriction will prevent malicious spoofed applications from being installed and run on the device.
  • If the device is MDM enrolled and supervised, uncheck the option in MDM profile restriction for Allow installing public apps. This restriction will prevent malicious public apps which are not permitted by the administrator from being installed on the device.

If none of the options above are viable, add a key named RestrictCredentialsExchangeWithThirdPartyApplications to the custom settings payload in the Default Workspace ONE SDK profile assigned to the Workspace ONE Intelligent Hub for iOS app and set the value to true. Adding and enabling this key will cause Workspace ONE Intelligent Hub to not return the credentials to any requesting Workspace ONE SDK application. This change will also cause Workspace ONE SDK (Objective-C) for iOS apps to no longer share the Integrated Authentication Certificate credentials. IA Credentials will be refetched by each Workspace ONE SDK (Objective-C) for iOS app separately. The custom settings payload must be formatted correctly like the example below, additional keys can be added within the brackets, but do not add any strings outside of the brackets. Here is an example of how to configure this key:

{
"RestrictCredentialsExchangeWithThirdPartyApplications": true
}

 

Support Contact Information

To receive support, either submit a ticket via the My Workspace ONE portal or call your local support line.
Be sure to subscribe to this article to be notified of future updates such as upcoming release versions.

 

Best Regards,
The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request

0 Comments

Article is closed for comments.