Apple: Masque hasnt attacked any iPhone, iPad users yet

Bob Brown
17 November, 2014
View more articles fromthe author
AAA
News

iOS, wirelurker, masque, apple, macworld australiaFollowing a US government warning about an iPhone and iPad security threat dubbed Masque Attack, Apple has issued a statement assuring customers that they’re probably OK.

Masque Attack, which security vendor FireEye disclosed information about last week, allows attackers to swap in fake apps for legitimate ones, and potentially grab sensitive data.

According to the independent Apple blog iMore, Apple issued the following statement:

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

Apple has posted on its site a reminder of safe operating procedures for installing enterprise iOS apps.

Three days after security company FireEye warned of an iPhone/iPad threat dubbed Masque Attack’, the US government issued a warning of its own about this new risk by malicious third-party apps to Apple iOS devices.

The United States Computer Emergency Readiness Team (US-CERT) issued the alert regarding Masque Attack posted in full at the bottom of this article. But in summary, US-CERT warned that:

This attack works by luring users to install an app from a source other than the iOS App Store or their organisations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.

This technique takes advantage of a security weakness that allows an untrusted app – with the same ‘bundle identifier’ as that of a legitimate app – to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Revelations of Masque came on the heels of a related exploit (that also threatens Macs) called WireLurker.

Some observers have rushed to explain that Mac and iOS device users should not panic, assuming they haven’t done anything really careless with their gadgets and computers.

Apple Insider, for example, wrote that “WireLurker and Masque Attack are not viral and can’t infect users unless they intentionally disable their security and manually install apps bypassing Apple’s builtin trust verification systems for iOS and Macs.”

Here’s the US-Cert alert in its entirety:

Apple iOS “Masque Attack” Technique

Systems Affected

iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labelled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was discovered and described by FireEye mobile security researchers.[1] (link is external) This attack works by luring users to install an app from a source other than the iOS App Store or their organisations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.

This technique takes advantage of a security weakness that allows an untrusted app – with the same “bundle identifier” as that of a legitimate app – to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

  • Mimic the original app’s login interface to steal the victim’s login credentials.
  • Access sensitive data from local data caches.
  • Perform background monitoring of the user’s device.
  • Gain root privileges to the iOS device.
  • Be indistinguishable from a genuine app.

Solution

iOS users can protect themselves from Masque Attacks by following three steps:

  • Don’t install apps from sources other than Apple’s official App Store or your own organisation.
  • Don’t click “Install” from a third-party pop-up when viewing a web page.
  • When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1] (link is external). US-CERT does not endorse or support any particular product or vendor.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us