'Masque' attack for iOS could let hackers replace legitimate apps with malicious copies
A recently-discovered vulnerability in Apple's mobile operating system could allow attackers to trick users into replacing legitimate apps that have access to a variety of personal information --?such as banking apps --?with hacked versions that relay that information to malicious actors.

Hacked apps could be distributed via email or through web links and installed using iOS's enterprise provisioning system, which allows apps to be added to the device from outside of the App Store. The vulnerability, dubbed a "Masque attack" by security firm FireEye, is possible because iOS does not verify that the code signing certificate is the same for apps that use the same bundle identifier.
An app with the same bundle identifier as Bank of America's mobile banking, for example, could be installed over top of the legitimate Bank of America app, mimicking the latter's user interface but sending login data back to the attackers' servers. Default apps like Safari and Mail are not affected.
FireEye notified Apple of the issue on July 26, but iOS versions up to and including iOS 8.1.1. beta continue to be vulnerable. Apple has yet to respond to the public disclosure.
The Masque attack could be considered an advanced form of phishing, a social engineering attack usually propagated via email in which users are tricked into submitting sensitive information to real-looking but ultimately fake websites. Phishing continues to be a huge problem, despite special protections built into web browsers and email clients designed to thwart the attack.

Hacked apps could be distributed via email or through web links and installed using iOS's enterprise provisioning system, which allows apps to be added to the device from outside of the App Store. The vulnerability, dubbed a "Masque attack" by security firm FireEye, is possible because iOS does not verify that the code signing certificate is the same for apps that use the same bundle identifier.
An app with the same bundle identifier as Bank of America's mobile banking, for example, could be installed over top of the legitimate Bank of America app, mimicking the latter's user interface but sending login data back to the attackers' servers. Default apps like Safari and Mail are not affected.
FireEye notified Apple of the issue on July 26, but iOS versions up to and including iOS 8.1.1. beta continue to be vulnerable. Apple has yet to respond to the public disclosure.
The Masque attack could be considered an advanced form of phishing, a social engineering attack usually propagated via email in which users are tricked into submitting sensitive information to real-looking but ultimately fake websites. Phishing continues to be a huge problem, despite special protections built into web browsers and email clients designed to thwart the attack.
Comments
If you choose to download something from outside the app store, there will always be a risk.
This is an attack that can only happen if you download an App from a third party site or fall for a trick via e-mail or a Website. Apple explicitly warns customers to download Apps from the official Apple App Store only. Apple spends a lot of time and money checking these Apps to protect the customer. It is not Apple's fault if users choose not to use this protection or are careless Internet users in general. These kind of attracts are everywhere on the Internet and apply to all software that is downloaded. The fact that iOS can also be attract in this manner should not be labeled as a venerability or perceived as something Apple has to fix.. As has been said many time, it is impossible to protect people from their own stupidity and Apple shouldn't be expected to either.
So, when are the AI Fanboys gonna come out in droves to debunk this article. Obviously, the author is a Samsung or Google plant.
So, in other words there is almost no risk of this happening. Thanks.
I don't understand these reactions. Would you prefer that security issues not be reported at all, just because they're unlikely to ever be a problem?
Yeah, if you click to install an app sent through emails, texts, IM or pop-ups, you deserve the malicious craps for being dumb. We've learnt this from the day internet went ubiquitous: Don't Install Things From Attachments or Links or Pop-ups.
As long as you think straight like a normal human (use AppStore), you'll be okay.
If you choose to download something from outside the app store, there will always be a risk.
Is this even not supposed to be possible for non-jailbroken iPhone?
Don't forget that you have to bypass the warning to trust the app.... Kinda silly how this is even news.
Hey look, you downloaded some app from some non-app-store place and you are being asked if you really want to trust it....
Just like WireLurker requires that you completely ignore or bypass GateKeeper.
Is this even not supposed to be possible for non-jailbroken iPhone?
Using enterprise MDM systems (maybe Apple Configurator as well) you can install apps that don't come from the App Store. This is so enterprises can installed specialized apps only available to them. If an enterprise installation allows its users to side-load apps through the MDM system, then the IT people should be fired.
Any application that is installed on any computer has the ability to infect the computer. That's why you need to know where you're getting your apps. As this author states, this is more a phishing attack than typical malware. The user has to install an infected app to make it work. Android phones have the same problem.
Is this even not supposed to be possible for non-jailbroken iPhone?
The enterprise certificate modifies the trust model (i.e. it says to trust certain stuff that is not directly from Apple).
So the no-jailbreak protection is compromised somewhat in this environment.
No but it appears like the only people this could affect are those in an enterprise setting downloading apps outside of the App Store. If you just read the headlines from Reuters, AP etc., you're left with the impression this is a serious bug that could easily affect iOS user. That's not the case.
Neither Reuters nor AP were mentioned here though. I'd understand if you were commenting on the Reuters or AP sites.
it is possible to side load apps without jailbreaking via Configurator.
for example, my mom has an iphone 5 that was one of the sleep button phones. she just upgraded to a 6 and decided to get the button fixed to give it to my nephew. When i took it in they loaded an app via a laptop to test the phone. it came up with that whole trusted developer warning. wasn't really a big deal since they had just erased everything from mom's phone so theres nothing to hack. when i get it back I'll restore it again to fresh just in case
Would LOVE if at least ONE mainstream outlet came out and said the obvious... DON'T BE AN IDIOT, download your stuff ONLY from the App Store, and you'll be fine! Dare to dream?
I can only imagine what those trolling whores over at BGR will be saying about this, it's probably gonna be a Fandroid cluster-**** on that DISQUS thread :no:
here is yet another reason apple is different than android. a malicious app tells you something is fishy before you decide to install it. on android it just assumes that since you have android (the most secure mobile os according to a piece of Schmidt) installing the malicious app is a given.
The local news in Los Angeles already took the bait and ran with it. What idiots.
This is an attack that can only happen if you download an App from a third party site or fall for a trick via e-mail or a Website. Apple explicitly warns customers to download Apps from the official Apple App Store only. Apple spends a lot of time and money checking these Apps to protect the customer. It is not Apple's fault if users choose not to use this protection or are careless Internet users in general. These kind of attracts are everywhere on the Internet and apply to all software that is downloaded. The fact that iOS can also be attract in this manner should not be labeled as a venerability or perceived as something Apple has to fix.. As has been said many time, it is impossible to protect people from their own stupidity and Apple shouldn't be expected to either.
I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.
Of course, I only wonder from a purely academic perspective. I totally don't have evil intentions, for the record.