“Apple mobile devices can leak users’ information through an attack using apps distributed outside the company’s App Store, a prominent Silicon Valley security company disclosed Monday,” Jeremy C. Owens reports for The San Jose Mercury News. “”
“FireEye announced in a blog post that it told Apple in July that devices using its iOS mobile operating system, such as the iPhone and iPad, were vulnerable to an assault it termed ‘Masque attack.’ However, FireEye researchers said Apple has been unable to work around the issue,” Owens reports. “‘Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks,’ the researchers wrote.”
“FireEye found that hackers could offer a mobile app through the Web that would mimic a legitimately downloaded application on a user’s device, siphoning important information such as login information or emails,” Owens reports. “FireEye offered three ways to avoid being a victim of the Masque Attack vulnerability: Do not download any apps that do not come from the App Store or a user’s organization, such as an employer; don’t install apps offered on pop-ups from third-party websites; and if iOS ever alerts a user about an ‘Untrusted App Developer,’ click ‘Don’t Trust’ on the alert and immediately uninstall the app.”
Read more in the full article here.
I thought that no one could download Apps except from Apple’s App Store? At least not here in USA and in Europe. So what gives?
Assuming, that is, that the iPhone is NOT jailbroken.
Corporations can distribute applications through web installs, the vulnerability is using this type of install.
Gotcha. But doesn’t the iPhone owner need to initiate and agree to it?
Yes, they do.
Apple headlines without the political wackos: http://machash.com
Go and don’t look back.
If only their was an admin on this site….
The admin here IS one of those political whackos…
No, some users are vulnerable to being hacked.
Anyone truly concerned about security has no business downloading an app from any other place then the Apple App Store. Period.
There’s a reason certain developers will not list their creations on the Apple App Store. Very few of them are good reasons.
So what you’re saying is that businesses shouldn’t use the iOS developer kit and make their own apps, or manage their own devices? Not much of an enterprise machine if you don’t allow end users enough slack to do stuff.
There are markets besides the consumer iTunes app store, you know. Apple needs to serve it and one can’t offer user power while handcuffing them. Any device worth its salt can be used to hurt oneself, but that doesn’t mean that Apple is at fault. It means developers need training. So too its is with anything.
Paul – read the info above…
“Do not download any apps that do not come from the App Store OR A USER’S ORGANIZATION, SUCH AS AN EMPLOYER;”
Apple and employers are good.
Steve, Apple provides a legitimate way for institutions to install their own applications onto their own devices without going through Apple’s App Store. Can you imagine a business creating a mission-critical and competitively advantageous application only to release it for public view on the App Store? Furthermore, if the app is mission-critical, waiting on a completely opaque review process within Apple before updates could be delivered to those critical areas would be unacceptable.
And since this ability is built in to iOS, it’s an attack vector malware creators can use. That there hasn’t been any (outside of research circles) gives testimony to the difficulty of doing so fraudulently.
For more than you wanted to know (and before the trolls could crawl out from under the bridge), here’s where to go for current information about these types of malware.
http://appleinsider.com/articles/14/11/10/wirelurker-masque-attack-malware-only-a-threat-for-users-who-disable-apples-ios-os-x-security
“FireEye offered three ways to avoid being a victim of the Masque Attack vulnerability: Do not download any apps that do not come from the App Store or a user’s organization, such as an employer; don’t install apps offered on pop-ups from third-party websites; and if iOS ever alerts a user about an ‘Untrusted App Developer,’ click ‘Don’t Trust’ on the alert and immediately uninstall the app.”
In other words: Don’t be stupid.
It is 100% impossible for Apple to protect all users from themselves… unless Apple offers to sell to such users a sold 10 cm thick steal box lined with 5 cm of solid copper that the user puts his/her phone into then Apple welds the box shut.
Add a 2 inch lead lining too for good measure 😉
Good call. That will keep Superman from seeing what’s in there. Add a layer of vibranium to protect it from Thor’s hammer and a layer of adamantium to prevent Shadow Cat from phasing it. Should be completely safe that way. 😃
It’s true that you have to click a link on an email and then approve downloading the app. But since Apple doesn’t compare the signature to the real developer any app can be replaced. There are a lot of ignorant users on iDevices so Apple needs to check the signature to protect their dumb customers.
Giving you the benefit of the doubt, here… I think you really meant to say there are a lot of ignorant users of all sorts of devices running several different operating systems. Right?
WhoKnows knows-not everything he’s chattering about. But there is a problem with hoaxed Enterprise Security Certificates, make clear last week.
Actually, after reading through the source FireEye blog post, I want to apologize to WhoKnows. How could I ever for get The LUSER Factor? There are indeed people who would install this crap into their iOS devices over the Internet. Gawd knows why, but such people exist.
Outside the App Store? You mean jailbroken phones? That’s stupid, who the fuck jailbreaks their phone and doesn’t expect it to turn to complete garbage?
No this attack works on any iDevice. As I said above – click an email link – approve the download – and walla you’ve allowed replacement of any app on your iDevice because Apple does not compare the signature. Looks like nobody really wants to believe it. All Apple has to do is update iOS 8 to check the signature.
There are two kinds of users who are vulnerable to ‘Masque attack’:
1) Jailbroke their iOS device.
2) Got conned by a fake work specific iOS app.
This problem is an echo of the recent Chinese WireLurker malware (which at this point in time is inert). Apple has some work to do locking down Apple Configurator and Enterprise Security Certificates.
For most iOS users, ‘Masque attack’ is a non-issue. But Apple’s apparently working on plugging the hole.
Oh. There’s more:
http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
Reading the FireEye blog report, I can now see their deeper point. To quote:
After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.
We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves.
It’s actually stunning that these Enterprise Security Certificate signed FAKE apps can actually be installed, over the Internet, directly into iOS devices. If this is entirely real, this puts a great big red letter A (for Asinine) on Apple’s Enterprise Security Certificate system. WTF?!
But again, unless someone is suckered into installing these Trojans over the Internet, it’s a non-issue for most iOS users. And yet, there is always what I call The LUSER Factor, those users who attract computer problems and malware. I hope Apple cleans this up in a hurry.
Another attack by San Jose Mercury. Apple home town paper tries its best to destroy Apple. Any idiot that downloads apps from other than Apple deserves to get whacked. I dropped Gmail a long time ago BTW