'Masque' attack for iOS could let hackers replace legitimate apps with malicious copies

2»

Comments

  • Reply 21 of 25
    Quote:

    Originally Posted by revenant View Post

     

     a piece of Schmidt installing the malicious app is a given.


    I see what you did there.

     0Likes 0Dislikes 0Informatives
  • Reply 22 of 25
    Quote:
    Originally Posted by lightknight View Post

     



    I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.

     


    I mean: people are used to this kind of link: View In iTunes by now. An expertly crafted link that opens a website in Safari that looks like it opens iTunes (but doesn't really) would be doable. Some of the (really nice) effects on the Apple website, or the HTML 5 Apple page (which seems to have been removed now???), or even in WebGL with https://developer.apple.com/videos/wwdc/2014/?id=509 might enable this kind of evilness. You'll still get the popup, but most people already click them through, like the "we need your location" in Strava.

     

    In the end, the announcement is sensationalist, a security firm phishing for clicks/reputation, but with additional work, criminals might be able to turn this into something dangerous for the common user, which is most of the world...

     0Likes 0Dislikes 0Informatives
  • Reply 23 of 25
    gatorguygatorguy Posts: 24,769member
    revenant wrote: »
    here is yet another reason apple is different than android. a malicious app tells you something is fishy before you decide to install it. on android it just assumes that since you have android (the most secure mobile os according to a piece of Schmidt) installing the malicious app is a given.

    A few of the warnings you'll receive if you attempt to install an app identified as malicious on Google Android, even from one of those 3rd party stores.
    700

    Well what about an app that revels itself as malicious sometime after it was installed?
    700

    And Yes it's available to nearly every Google android smartphone and tablet in use today.
    700
     0Likes 0Dislikes 0Informatives
  • Reply 24 of 25
    Quote:
    Originally Posted by lightknight View Post

     



    I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.


    I saw recently an article describing how some attacks are being done now using proxy-pass-through. This would probably work against AppStore also.

     0Likes 0Dislikes 0Informatives
  • Reply 25 of 25
    charlituna wrote: »
    it is possible to side load apps without jailbreaking via Configurator.

    for example, my mom has an iphone 5 that was one of the sleep button phones. she just upgraded to a 6 and decided to get the button fixed to give it to my nephew. When i took it in they loaded an app via a laptop to test the phone. it came up with that whole trusted developer warning. wasn't really a big deal since they had just erased everything from mom's phone so theres nothing to hack. when i get it back I'll restore it again to fresh just in case

    On a corporate account yes.
     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.