'Masque' attack for iOS could let hackers replace legitimate apps with malicious copies

Posted:
in iPhone edited November 2014
A recently-discovered vulnerability in Apple's mobile operating system could allow attackers to trick users into replacing legitimate apps that have access to a variety of personal information --?such as banking apps --?with hacked versions that relay that information to malicious actors.




Hacked apps could be distributed via email or through web links and installed using iOS's enterprise provisioning system, which allows apps to be added to the device from outside of the App Store. The vulnerability, dubbed a "Masque attack" by security firm FireEye, is possible because iOS does not verify that the code signing certificate is the same for apps that use the same bundle identifier.

An app with the same bundle identifier as Bank of America's mobile banking, for example, could be installed over top of the legitimate Bank of America app, mimicking the latter's user interface but sending login data back to the attackers' servers. Default apps like Safari and Mail are not affected.



FireEye notified Apple of the issue on July 26, but iOS versions up to and including iOS 8.1.1. beta continue to be vulnerable. Apple has yet to respond to the public disclosure.

The Masque attack could be considered an advanced form of phishing, a social engineering attack usually propagated via email in which users are tricked into submitting sensitive information to real-looking but ultimately fake websites. Phishing continues to be a huge problem, despite special protections built into web browsers and email clients designed to thwart the attack.
«1

Comments

  • Reply 1 of 25
    Requires a user to accept an enterprise certificate of a company they don't work for, and Apple to not revoke the cert.

    If you choose to download something from outside the app store, there will always be a risk.
  • Reply 2 of 25

    This is an attack that can only happen if you download an App from a third party site or fall for a trick via e-mail or a Website.  Apple explicitly warns customers to download Apps from the official Apple App Store only.  Apple spends a lot of time and money checking these Apps to protect the customer.  It is not Apple's fault if users choose not to use this protection or are careless Internet users in general.  These kind of attracts are everywhere on the Internet and apply to all software that is downloaded.  The fact that iOS can also be attract in this manner should not be labeled as a venerability or perceived as something Apple has to fix.. As has been said many time, it is impossible to protect people from their own stupidity and Apple shouldn't be expected to either.

  • Reply 3 of 25

    So, when are the AI Fanboys gonna come out in droves to debunk this article.  Obviously, the author is a Samsung or Google plant.

  • Reply 4 of 25

    So, in other words there is almost no risk of this happening. Thanks.

  • Reply 5 of 25
    So to be sure I understand correctly, the only way to install apps outside of the app store is to jailbreak your phone right? So this would not be a threat to an iPhone unless it was jailbroken?
  • Reply 6 of 25
    crowleycrowley Posts: 5,771member

    I don't understand these reactions.  Would you prefer that security issues not be reported at all, just because they're unlikely to ever be a problem?

  • Reply 7 of 25
    fallenjtfallenjt Posts: 3,976member

    Yeah, if you click to install an app sent through emails, texts, IM or pop-ups, you deserve the malicious craps for being dumb. We've learnt this from the day internet went ubiquitous: Don't Install Things From Attachments or Links or Pop-ups.

    As long as you think straight like a normal human (use AppStore), you'll be okay.

  • Reply 8 of 25
    rogifanrogifan Posts: 10,669member
    crowley wrote: »
    I don't understand these reactions.  Would you prefer that security issues not be reported at all, just because they're unlikely to ever be a problem?
    No but it appears like the only people this could affect are those in an enterprise setting downloading apps outside of the App Store. If you just read the headlines from Reuters, AP etc., you're left with the impression this is a serious bug that could easily affect iOS user. That's not the case.
  • Reply 9 of 25
    Quote:

    Originally Posted by slickdealer View Post



    If you choose to download something from outside the app store, there will always be a risk.

     

    Is this even not supposed to be possible for non-jailbroken iPhone?

  • Reply 10 of 25
    Next thing you know, Fire-eye will disclose Safari as a vulnerability, since you can log on to a malicious website posing as a legitimate one.
  • Reply 11 of 25



    Don't forget that you have to bypass the warning to trust the app.... Kinda silly how this is even news.

     

    Hey look, you downloaded some app from some non-app-store place and you are being asked if you really want to trust it....

     

    Just like WireLurker requires that you completely ignore or bypass GateKeeper.

  • Reply 12 of 25
    rob53rob53 Posts: 2,007member
    Quote:

    Originally Posted by jason98 View Post

     

     

    Is this even not supposed to be possible for non-jailbroken iPhone?


    Using enterprise MDM systems (maybe Apple Configurator as well) you can install apps that don't come from the App Store. This is so enterprises can installed specialized apps only available to them. If an enterprise installation allows its users to side-load apps through the MDM system, then the IT people should be fired. 

     

    Any application that is installed on any computer has the ability to infect the computer. That's why you need to know where you're getting your apps. As this author states, this is more a phishing attack than typical malware. The user has to install an infected app to make it work. Android phones have the same problem.

  • Reply 13 of 25
    Quote:

    Originally Posted by jason98 View Post

     

     

    Is this even not supposed to be possible for non-jailbroken iPhone?




    The enterprise certificate modifies the trust model (i.e. it says to trust certain stuff that is not directly from Apple).

     

    So the no-jailbreak protection is compromised somewhat in this environment. 

  • Reply 14 of 25
    idreyidrey Posts: 640member
    And yet the media is going to blame apple. Apple will probably patch this anyway.
  • Reply 15 of 25
    crowleycrowley Posts: 5,771member
    Quote:

    Originally Posted by Rogifan View Post





    No but it appears like the only people this could affect are those in an enterprise setting downloading apps outside of the App Store. If you just read the headlines from Reuters, AP etc., you're left with the impression this is a serious bug that could easily affect iOS user. That's not the case.

    Neither Reuters nor AP were mentioned here though.  I'd understand if you were commenting on the Reuters or AP sites.

  • Reply 16 of 25
    garfong wrote: »
    So to be sure I understand correctly, the only way to install apps outside of the app store is to jailbreak your phone right? So this would not be a threat to an iPhone unless it was jailbroken?

    it is possible to side load apps without jailbreaking via Configurator.

    for example, my mom has an iphone 5 that was one of the sleep button phones. she just upgraded to a 6 and decided to get the button fixed to give it to my nephew. When i took it in they loaded an app via a laptop to test the phone. it came up with that whole trusted developer warning. wasn't really a big deal since they had just erased everything from mom's phone so theres nothing to hack. when i get it back I'll restore it again to fresh just in case
  • Reply 17 of 25
    rogifan wrote: »
    No but it appears like the only people this could affect are those in an enterprise setting downloading apps outside of the App Store. If you just read the headlines from Reuters, AP etc., you're left with the impression this is a serious bug that could easily affect iOS user. That's not the case.
    Unfortunately I have a feeling the mainstream media will take this little tidbit, brush it under the carpet, and instead report this is the end of iOS safety, and then move to the usual Apple is DOOMED rhetoric...

    Would LOVE if at least ONE mainstream outlet came out and said the obvious... DON'T BE AN IDIOT, download your stuff ONLY from the App Store, and you'll be fine! Dare to dream?

    I can only imagine what those trolling whores over at BGR will be saying about this, it's probably gonna be a Fandroid cluster-**** on that DISQUS thread :no:
  • Reply 18 of 25

    here is yet another reason apple is different than android. a malicious app tells you something is fishy before you decide to install it. on android it just assumes that since you have android (the most secure mobile os according to a piece of Schmidt) installing the malicious app is a given.

  • Reply 19 of 25
    magman1979 wrote: »
    Unfortunately I have a feeling the mainstream media will take this little tidbit, brush it under the carpet, and instead report this is the end of iOS safety, and then move to the usual Apple is DOOMED rhetoric...

    Would LOVE if at least ONE mainstream outlet came out and said the obvious... DON'T BE AN IDIOT, download your stuff ONLY from the App Store, and you'll be fine! Dare to dream?

    I can only imagine what those trolling whores over at BGR will be saying about this, it's probably gonna be a Fandroid cluster-**** on that DISQUS thread :no:

    The local news in Los Angeles already took the bait and ran with it. What idiots.
  • Reply 20 of 25
    Quote:
    Originally Posted by sailermon View Post

     

    This is an attack that can only happen if you download an App from a third party site or fall for a trick via e-mail or a Website.  Apple explicitly warns customers to download Apps from the official Apple App Store only.  Apple spends a lot of time and money checking these Apps to protect the customer.  It is not Apple's fault if users choose not to use this protection or are careless Internet users in general.  These kind of attracts are everywhere on the Internet and apply to all software that is downloaded.  The fact that iOS can also be attract in this manner should not be labeled as a venerability or perceived as something Apple has to fix.. As has been said many time, it is impossible to protect people from their own stupidity and Apple shouldn't be expected to either.




    I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.

     

     

    Of course, I only wonder from a purely academic perspective. I totally don't have evil intentions, for the record.

Sign In or Register to comment.