“The U.S. government warned iPhone and iPad users on Thursday to be on the alert for hackers who may exploit a vulnerability in Apple Inc’s iOS operating system that would enable them to steal sensitive data,” Jim Finkle reports for Reuters. “There was the potential for hacks using a newly identified technique known as the “Masque Attack,” the government said in an online bulletin from the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams.”
“Such attacks could be avoided if iPad and iPhone users only installed apps from Apple’s App Store or from their own organizations, [the government] said,” Finkle reports. “‘We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We’re not aware of any customers that have actually been affected by this attack,’ Apple said in an emailed statement to Reuters.”
Finkle reports, “Users should not click ‘Install’ from pop-ups when surfing the web. If iOS flashes a warning that says ‘Untrusted App Developer,’ users should click on ‘Don’t Trust’ and immediately uninstall the app, the bulletin said.”
Read more in the full article here.
Related articles:
Some Apple mobile devices vulnerable to ‘Masque attack,’ says security firm FireEye – November 10, 2014
How to detect and remove WireLurker from OS X and iOS – November 6, 2014
Apple blocks Chinese trojan apps – November 6, 2014
Apple blocks apps after WireLurker malware on iOS and Mac OS X uncovered in China – November 6, 2014
WireLurker trojan targeted at non-jailbroken iPhones spreads in China – November 6, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Has anything changed in iOS 8 with respect to the process for installation of apps on iOS devices? Because, based on what I understand, since the concept of Apps was introduced in iPhone OS 2.0, the only way to install them on an non-jailbroken phone was via the App Store. There was no way you could tap a web link and download an app in a browser; the only kind of link there could be for an app download would be to the Apple’s App Store (or, presumably, to the private app store for a business).
Could it be possible that the article is confusing iOS and Mac OS?
There is a second vector, probably more dangerous: install an application on your Mac which then synchs with any iOS device that you connect. Yes, Masque can only be installed directly on an iOS device if you jailbreak. But since security on a MacOS device has a lower threshold and, indeed, some developers have left the Mac Apps store out of frustration and want users to download their apps directly from the developers’ websites, MacOS is much more ripe for this kind of attack. Perhaps through a hotel’s wifi network…
Actually, from at least iOS 6, one can download specific applications from the web onto their device. I’ve done it a couple of times. The process actually looks/works pretty much as it would if you we’re to download an app from the App Store.
But, is your phone jail broken???
Nope its not. I believe an example would be AppNana: http://appnana.com though I’m not sure they still do it that way. It used to be that you would add a safari short cut to your home screen, then once opened you were given the option to download a web application.
I think you are specifying a WEB Application. . . which does not actually run ON the iPhone. It runs on the web. All you are downloading is a weblink. Sorry, not the same thing at all.
It does more than just installs a web link… If I go into the settings app, I can even see the app listed under the profiles of the general menu. It is not just a short cut to a webpage.
I would not have a thing to do with that, if I were you. I can see several issues that will come up. I suspect that it won’t be around for long at all. Apple will cut them off quickly. They are playing fast and loose with copyright law I believe. You may find that your iPhone has been jailbroken without your knowledge.
The ability to download apps off the Internet started in iOS 7. Apple tightened up the security around this ‘feature’ in iOS 8.
What’s actually going on is a bit complicated, dealing with Enterprise security certificates being stolen and shoved into faked apps that can be named anything at all, then replace apps you already have installed on your iOS gear.
There have been several articles on the subject this week. (I’ve collected them all). But the best article to date is from Intego:
http://www.intego.com/mac-security-blog/masque-attack-ios-vulnerability-or-feature-by-design/
[No, I’m not Derek Erwin. And no, Mac Observer had nothing to do with discovering this ‘bug’. The original discovery and announcement was from FireEye. See their blog entry here:
http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html ]
The Intego article goes into the history of this ‘feature’, valid use cases, and how it can be abused. Because of the complicated details regarding Enterprise security certificates, I won’t quote the article here. It’s well worth reading if you work with people who may be vulnerable to this method of Trojan-ing iOS devices.
Personally: I’m discouraged at Apple’s response to this situation and surprised they’ve allowed this to possible. However, for now, it’s a hyped up subject that will have to prove itself as a serious problem, much as I wish Apple would simply kill this Trojan vector.
I think the FEDS did this to paint Apple’s iOS as compromised
and vunerable since they still have hard feelings we did not roll over for them in the iBooks persecution errr…… prosecution.
That’s entirely possible. As Apple has stated (via René Richie), they are unaware of this Trojan vector being exploited.
‘Apple comments on ‘Masque Attack’, reminds users of built-in security safeguards
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
More from Apple on the subject:
iOS: When you install custom enterprise apps
Follow these security guidelines when you install custom apps created for your organization.