Billions of Apple ( AAPL ) iPhones and iPads could be exposed in an iOS 9 vulnerability, Check Point Software Technology ( CHKP ) researchers were slated to announce Thursday morning at Singapore’s Black Hat Asia 2016 conference. Enterprise applications installed via Mobile Device Management (MDM) software are exempt from Apple’s latest security changes, which means that an attacker can hijack legitimate communications to install malicious apps, says the security firm. It’s still theoretical, Avi Rembaum, Check Point vice president of security solutions, told IBD on Wednesday. Black Hat gives researchers an opportunity to discuss hypothetical threat vectors, including this new so-called “Sidestepper” vulnerability. “Unfortunately, a lot of those things we talk about that might happen often end up happening,” he said. Few Barriers To Entry Apple recognized a key piece of the Sidestepper vulnerability in iOS 8. For $299 a year, an enterprise can purchase an Apple certificate to upload a private app via the Apple Developer Enterprise Program. “But if someone is going to be malicious, they don’t really care about signing a (certificate) agreement, plus it’s $299 per year to get that certificate,” Rembaum said. “There weren’t many barriers to entry.” Enterprises are headily embracing the “Bring Your Own Device” trend and, in one case study of a Fortune 100 company, Check Point found 318 private apps and 116 unique certificates on employees’ devices. Those numbers were suspiciously high, Rembaum said. “When we looked deeper … they were on the sketchier side and were from parts of the world that could be problematic,” he said. “We saw a very small number of them that would be considered white-listed (trustworthy).” So in iOS 9, Apple upped the challenges to installation, says Check Point. But the new challenges don’t cover MDM-pushed updates to employees’ devices. Of the 1.2 billion installed iPhones and iPads, 79% have iOS installed and are therefore vulnerable. Intercepting Legit Connections Enterprises often rely on MDM services like those by BlackBerry ( BBRY ) (via its Good Technology acquisition), VMWare ( VMW ) and MobileIron ( MOBL ) to push updates onto employees’ devices, thereby avoiding the “headache” of ensuring that every app has identical settings, Rembaum said. That MDM-device connection, however, is also a powerful portal for Man-in-the-Middle (MitM) attacks, he said. A hacker can, theoretically, intercept the communications between MDM and device to install a certificate and then a malicious app. Often, the interception relies on social engineering, he said. “An attacker would send a text message to the target with a link to download the configuration file,” he said. “It would install a certificate and configuration instructions in the phone. The only thing the user has to do is say yes to installing.” Then the attacker is in — with access to a user’s address book, microphone, photos, GPS, apps and, possibly, company data. Education Alone Isn’t Enough Rembaum recommends that MDM users take a “multilayer approach” to mobile security. Because hackers often rely on social engineering to launch phishing attacks — by email, text message or social media — enterprises should train employees on red flags. Phishing attacks cost businesses more than $215 million between October 2013 and December 2014, according to a January report by the FBI. This month, Seagate Technology ( STX ) discovered that it had been duped into handing out nearly 10,000 W-2 forms belonging to former and current employees. The Seagate revelation came on the heels of a similar attack on privately held Snapchat. Scammers often change a single letter in an email address or impersonate a CEO’s email address, Barracuda Networks ’ ( CUDA ) Slawek Ligier and Proofpoint ’s ( PFPT ) Ryan Kalember told IBD. Outside education, an enterprise can install Check Point’s Mobile Threat Prevention (MTP) software and have its employees install the ZoneAlarm app, Rembaum said. FireEye ( FEYE ), Symantec ( SYMC ), Intel ’s ( INTC ) McAfee, Palo Alto Networks ( PANW ) and Proofpoint also compete in the mobile security space. A MitM attacker creates an encrypted tunnel — typically through a virtual private network (VPN) — to its own site, directing a user away from the legitimate MDM. Check Point’s MTP solution hunts down that encrypted tunnel. “The user would have received the text, clicked on the link and installed the certificate,” Rembaum said. “Then (Check Point’s software) would reach out and block the connection.” He added: “The actual installation of the malware wouldn’t have succeeded.”