Apple Responds to 'Masque Attack' Vulnerability, Not Aware of Customers Affected by Attack

[ArtOfWarfare]

Don't get me wrong...I have Pixelmator and Pages and think they are great apps...but I still have the need for Photoshop and Microsoft Word, and think many Mac users in both graphics and the business world have an imperative necessity for these programs. Microsoft Word and Excel files are still the standard throughout the business world and even in most Universities today. I think Apple is trying too hard to promote their own App Store agenda by integrating this Sandboxing feature into every shipping copy of OS X today...

1 - Office isn't standard anymore - it hasn't been in several years. In the past ~5 years, I'm pretty sure I've seen more people use Google Drive or OpenOffice than Microsoft Office. And with Pages being available on iCloud and iPad, I'm actually seeing it almost as often as Microsoft Office, despite the fact that I rarely see people with MacBooks at IBM (Lotus and IBM Notes are also common at IBM, but I know that's just from them being IBM products. I have never once seen either of them outside IBM.)

2 - Even if someone insisted on only working with Office documents, you can easily import and export from whatever program you use, and they'll be none-the-wiser.

I can't say anything about Photoshop as I don't often see anyone using that kind of program.

 

[proline]

Because Apple always claims that their "closed" system is more secure than those others due to the review process?

Frankly, I don't understand why some people on this forum keep downplaying these security flaws. Perhaps they think they need to "defend" Apple, but that is misguided IMO. The "fappening" made it very obvious that Apple doesn't necessarily act to improve their security policies without public pressure. If that hadn't happended, we'd probably still have the weak iCloud security policy and incomplete 2-factor authentication. Public attention can only help to make the system more secure for everyone by forcing Apple to act.

Nobody has an issue with criticizing Apple's security. However, such criticism needs the acknowledge the reality that the chance of the average user's system being compromised is far less on Apple's platforms than any other major player. You can attribute that to Apple's security approach or sheer luck or whatever, but it's the bottom line and if you can't acknowledge that you simply aren't credible. Android / Windows users get compromised far more.

 

[WrQth]

This issue appears to affect different categories of IOS users: Jailbreak, Enterprise and normal.

The first is not the norm for IOS and those folks tend to be fairly savvy already.

The second are typically users in a large organization that may normally create apps, outside the app store, for use only within the organization. They use enterprise profiles to get such apps installed. Those are somewhat at risk as installing apps that way may be considered normal.

Large companies and government groups are examples of the second category and might easily have thousands of individuals within the group.

The third is the normal IOS user. Many of those are not tech savvy. They use their phone as a tool and will not always notice changes in app appearance or behavior.

The key issue here is falling for the link that causes this problem. Tech savvy folks generally know better, but non-tech don’t. This has more potential to cause problems for these in the enterprise group as their devices might have access to data, outside the normal web, that their normal enterprise apps use. Such fake apps could potentially gain access to that data.

Assuming people will know better is usually a bad approach. The amazing range of scams that occur every week in the news cycle are example of that fact. Apple may well step in to control these options more firmly as they have recently done in other security related areas.

The "fake" app has to be signed with the Enterprise cert that is installed on the phone so unless the "fake" app is signed with the Enterprise cert already on the phone it would need to install yet another Enterprise cert which there are prompts warning users of doing. If a user disregards this they are likely violating their own companies policies which they accept when requested their device be enterprise managed.

It all comes down to people needing to be a bit smarter or at lease following the guidelines defined by Apple and/or their company.

 

[samcraig]

So where in that statement was anything about fixing a known security risk? Regardless of how big/small.

ETA: The fact that this is possible is of concern. Perhaps the bigger concern is that a rogue app can install over a legitimate app. There should really be a safety net (warning) there.

 

[snowmoon]

There are a number of other steps that people are leaving out of this train of events. It includes getting an enterprise certificate and avoiding detection on non-jailbroken devices. Any certificates known to be installing fake apps will be revoked and the apps will stop working. The enterprise app avoid review, but they are still bound by all the standard sandbox restrictions.

I see the best "fix" being the inability for an enterprise signed app to overwrite an AppStore installed app. Force the user to delete the app before it can be provisioned through other means. This should pose no problems for legitimate users and still allow the legitimate use-cases for enterprise apps.

 

[Mtmspa]

Adobe Photoshop? Microsoft Office for OS X? Are these gold standards available on the Mac App Store?

I don't think so...and to install them you have to break security code and change your settings, and allow untrusted installs...

Oh no! Apple doesn't want you installing these evil programs. They want you to use only Pixelmator and Pages...

Right...

Cool story bro. Yawn.

 

[xero9]

I'll admit, I recall seeing some emulator that I could install, and thought that sounded kind of interesting. I remember seeing the prompt to cancel or install. I think I hit install, but I don't remember what happened after that.

I consider myself above average as far as technology goes and to be honest, I was under the impression apps could ONLY be installed via the App Store. Apparently I was wrong.

How does one go about making sure these rogue apps aren't actually on there anymore? No one seems to mention how to ensure nothing is installed. I'm also wondering if it can transfer from say an iPhone 5s backup that was restored onto a 6 through iTunes.

 

[hlfway2anywhere]

So where in that statement was anything about fixing a known security risk? Regardless of how big/small.

ETA: The fact that this is possible is of concern. Perhaps the bigger concern is that a rogue app can install over a legitimate app. There should really be a safety net (warning) there.

There was nothing about fixing a security risk because this isn't a flaw, it's how iOS works, and it's safer than literally every other OS out there.

Who is stopping you from installing a spoofed Skype app or hacked version of Angry birds on OS X, Windows, or Android? Apple can't fix stupidity, which is the only security flaw in this situation.

Adobe Photoshop? Microsoft Office for OS X? Are these gold standards available on the Mac App Store?

I don't think so...and to install them you have to break security code and change your settings, and allow untrusted installs...

Oh no! Apple doesn't want you installing these evil programs. They want you to use only Pixelmator and Pages...

Right...

this isn't even true. Microsoft and Adobe are trusted developers, and it is not necessary to change your settings in order to install software from them. Unless you consider entering an administrative username and password to be 'breaking security code'.

 

[2457282]

Wow. Everyone is looking past this subtle part of Apple's response:



Hope this doesn't mean the closing of OS X!

Agreed. There are still applications out there that have not wanted to join the Mac App store -- My wife wanted to download Skype and I was surprised to find that it is not on the Mac App store. I use BeaTunes to better manage my iTunes library and again, not available in the App Store. Apple will need to work harder if they really want everything to go through their App store. Otherwise, this IS a problem that needs to be addressed.

 

[Ed217]

It all comes down to people needing to be a bit smarter or at lease following the guidelines defined by Apple and/or their company.

True. The past has shown that far too many folks don't do this.

Texting while driving is dangerous. Yet how long do you have to drive around town before you see someone holding their cell in the hand on the steering wheel and poking it with the other hand. Too often...

 

[Espeonia]

why is being able to install faked apps on iPhone considered a vulnerability, when on every other OS the same thing could happen and they call it "open."

Because on other operating systems, you can't install an app signed by a different developer over an app with the same identifier.

If you try to install "flappy bird v2.apk" on an android, you'll be asked if you want to install what it'll actually show up as, and it makes it clear that it's installing over another app, neither of which happens in this case.

 

[bcc2k]

Are enterprise provision profiles enabled on default?

 

[OldSchoolMacGuy]

Silly media making this a big deal.

This is exactly the same as if you click something online, download an application, and application asks you for your admin password, then the OS tells you explicitly that THIS MAY HARM YOUR COMPUTER, and you still click OK.

It's giving the car keys to a random person and being surprised when they take your car. Silly.

Security researchers agree that this is NOT a big deal and does not pose a security risk. It was shown at a large security conference a year ago and even then researchers agreed it wasn't something to worry about. Now someone else reports it and the media (MacRumors included) grabs hold and blows it up into a big deal that it isn't.

----------

Are enterprise provision profiles enabled on default?

They're allowed but it gives a big warning to not install anything you don't know where it's coming from and tells you very clearly that it may harm your phone or allow malicious things to be installed then you have to give it your passcode and then confirm it again. If you're that stupid it's really your own fault. It's no different than doing the same on your desktop OS.

 

[hlfway2anywhere]

Because on other operating systems, you can't install an app signed by a different developer over an app with the same identifier.

If you try to install "flappy bird v2.apk" on an android, you'll be asked if you want to install what it'll actually show up as, and it makes it clear that it's installing over another app, neither of which happens in this case.

So Apple maybe needs to come up with a nice way to show the icon and name in that prompt. That would definitely help.

 

[Mtmspa]

Apple stock price is getting a little too high. Need some FUD to back it off a few bucks.

 

[samcraig]

There was nothing about fixing a security risk because this isn't a flaw, it's how iOS works, and it's safer than literally every other OS out there.

Who is stopping you from installing a spoofed Skype app or hacked version of Angry birds on OS X, Windows, or Android? Apple can't fix stupidity, which is the only security flaw in this situation.

So you think it's OK that there's no safeguard in a rogue app overwriting a legitimately downloaded app from the appstore. You don't believe that something downloaded from the appstore should only be rewritten by the appstore? Is that right? Don't care whether iOS is "safer" than other OSes - if there's a security hole, it needs to be fixed.

And again - what happens is windows or other OSes is irrelevant. We're talking about the Masque Attack and how it pertains to apps on iOS devices. Try and stay on topic.

 

[mazz0]

I don't get it. It tells you it's not from a trusted developer right?

 

[brianvictor7]

Apple only do so much to help people who make mistakes. The nuclear option is to force downloading of apps from the app store. For businesses who want to push out their own apps, Apple could furnish a special app store where the businesses could place their own apps.

 

[BlendedFrog]

Quite honestly this has already run its course. Enough already.

Truth be told I don't believe it has. I have been trying to raise this as an issue with my company but no seems to care. Our enterprise developer account has over 40 people as admin level access. No one has audited the account in years to see if those people still need it or if they are even still with the company. Image if even one of those people does some malicious. They have access to our master provisioning profile. It would be worse than even the a bad nightmare.

 

[hlfway2anywhere]

So you think it's OK that there's no safeguard in a rogue app overwriting a legitimately downloaded app from the appstore. You don't believe that something downloaded from the appstore should only be rewritten by the appstore? Is that right? Don't care whether iOS is "safer" than other OSes - if there's a security hole, it needs to be fixed.

And again - what happens is windows or other OSes is irrelevant. We're talking about the Masque Attack and how it pertains to apps on iOS devices. Try and stay on topic.

Being condescending really helped make your point! You've changed my opinion and I understand now!

 

[samcraig]

Being condescending really helped make your point! You've changed my opinion and I understand now!

So glad to hear it

 

[heeloliver]

Adobe Photoshop? Microsoft Office for OS X? Are these gold standards available on the Mac App Store?

I don't think so...and to install them you have to break security code and change your settings, and allow untrusted installs...

Oh no! Apple doesn't want you installing these evil programs. They want you to use only Pixelmator and Pages...

Right...

No, Adobe and Microsoft are trusted developers and can install without changing security settings.

 

[itsOver9000]

21,786 unread emails in the Mail app.. wow..

 

[MasterRyu2011]

While this is a legitimate issue, it's not specific to ONLY iOS. It is a phishing trick than any software can run in to on any system. If Apple fixes this, i'm impress since this is still and issue on every other system. You still get warning emails from your IT guys for not clicking on strange links, dont you? You can't fix stupid (ignore warnings) or greed (free apps).

I think people who are defending Apple is trying to get this point across. there're multitude of apple haters that are trying to make this an iOS issue only hence the need to counter their point. Beside , there's nothing wrong with defending a product/brand than you like, not that they need defending.

There is nothing wrong with defending a brand; but there is also nothing wrong with warning users of a potential disaster, regardless of whichever platform. iPhones dominate the US market, which is why they get a lot of attention.

Serious question: Android has a setting "Install from Unknown Sources." Does anybody know if that is unchecked that it is virtually impossible to install (sideload) any type of non Playstore app? In other words, can this attack affect an Android user that has this setting unchecked.

 

[ucantgetridofme]

This happens only to stupid and ignorant people and people that purposely bend their iPhones, enough said...
Ignorance is bliss...

Ignorance is bliss, but this is what happens when you become emotionally invested in a corporation that doesn't give a darn about you and the rest of it's customers.