Masque Attack: Why Your iPhone is Probably Safe

| Analysis

Masque Attack sounds like an ominous threat to the iPhone and iPad because it lets attackers replace legit apps with their own malicious versions. Getting those on your iOS device, however, involves some trickery and interaction on your part. The security flaw is serious, but it isn't likely to hit you.

Masque Attack replaces legit iPhone apps with malicious versionsMasque Attack replaces legit iPhone apps with malicious versions

Masque Attack, as detailed by the security firm FireEye, lets attackers replace legit apps from the App Store with lookalikes that perform tasks such as stealing your contacts, email messages, and account passwords. Attackers can target factory-standard and jailbroken devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Attackers simply use the same bundle identifier from the legit version of an app, and iOS accepts it as the real thing. Assuming the trojan horse version looks and acts like the original, victims would be none the wiser. The only apps that aren't susceptible to Masque Attack come bundled with iOS, like Mobile Safari, Mail, Messages, and Music.

To get a Masque Attack app on your iPhone or iPad, developers need an iOS Developer Enterprise Program account. DEP lets developers build apps that can be installed outside of Apple's App Store — a necessary step since each app on the App Store has a unique bundle identifier.

Next, the attackers need to trick you into downloading and installing their trojan horse app from outside of the App Store. They'd most likely send a convincing looking email with a link to their app in hopes that you'll be tricked into thinking it's legit.

Victims then need to tap through a warning that they're trying to install an app from an untrusted source. If they don't agree to the download, the process stops and the Masque Attack trojan horse app doesn't install.

If an attacker wants to target a single iOS device user, they can try to convince them to hand over their device UDID code. Many iPhone owners don't know what a UDID code is, or how to find it, so it isn't likely attackers will use that option very often.

Assuming an attacker uses a DEP account to build and release their Masque Attack apps, Apple can shut them down by killing their app certificate. Without a legit certificate, the malicious app can't launch, ending the threat in its tracks.

Apple may be able stop the Masque Attack flaw by changing how iOS looks at bundle identifiers, and there are likely changes that can be made to improve security through the DEP system, too. Considering the steps needed to get a malicious app on an iOS device through the Maque Attack flaw, it isn't likely many people will fall prey to this security risk.

That said, if you're concerned that you may have been targeted by Masque Attack, just delete the apps you think are a threat and re-install them through Apple's App Store. You'll also need to change the passwords for any accounts the suspicious apps used because the attackers will undoubtedly have stolen those through their app.

Masque Attack is a serious security flaw in iOS, and it's something Apple needs to address quickly. Despite the big hole it punches through the app trust process, it isn't a threat most iPhone and iPad users will encounter. Sticking to app downloads only through the App Store will protect you, and never download and install an app through a link given to you by someone you don't know and trust.

Popular TMO Stories

Comments

geoduck

Victims then need to tap through a warning that they’re trying to install an app from an untrusted source.

This is the part that surprises me. I thought you could ONLY install apps from the App Store. I’m really surprised that it just gives you a warning and lets you proceed. I thought if you had a company specific App it went into the normal App Store, just in a corner most people couldn’t access. Of course I’ve never heard of the DEP before.

ppartekim

Even if you did accidentally load one of those programs, how do you know which one in order to delete it? Or does one just need to wipe their entire phone then reload all their apps from the app store one-by-one?

Bart B

“Masque Attack is a serious security flaw in iOS, and it’s something Apple needs to address quickly. ” - no it isn’t! It’s security working as designed!

It’s nuts to describe a feature that protects users by making them opt-in to running an un-trusted app as a ‘security flaw’. By that ‘logic’ Windows is REALLY insecure, it lets anyone install any software from any source and doesn’t even ask for permission - gasp!

Also - nice to see how totally Apple have won the argument that control over apps is a good thing, because a few years ago everyone was losing their hair because you COULDN’T install 3rd party software without going through the App Store, now, if you can run 3rd party software by accepting a provisioning profile people say the OS is broken!

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account