CVE-2015-3722

Vulnerability

In Apple iOS prior to version 8.4, the Application Store install logic for universal provisioning profile apps did not verify that a new app's bundle ID was unique. An attacker could exploit this by crafting a malicious app that uses a bundle ID already associated with a legitimate app, causing a collision. The issue affected iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later [1].

Exploitation

An attacker creates a universal provisioning profile app that declares an existing bundle ID. The victim must install this malicious app, likely through a distribution channel that accepts such profiles (e.g., enterprise deployment). No additional authentication or network position beyond delivering the app is required. Once installed, the app triggers a bundle ID collision with the installed legitimate app [1].

Impact

Successful exploitation results in a denial of service: the legitimate app associated with the colliding bundle ID becomes unable to launch. No data theft, privilege escalation, or code execution is reported. The attacker gains the ability to interfere with app availability on the device [1].

Mitigation

Apple addressed this issue in iOS 8.4, released on June 30, 2015, by introducing improved collision checking for bundle IDs. Users should update to iOS 8.4 or later to receive the fix. No workarounds are documented for unpatched versions [1].