'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

[Keirasplace]

I'm curious how much data this vulnerability could allow access to. The quote mentioned cached emails and potentially login-tokens, would it also include other cached data?
Let's say the attacker replaced something like 1Password or other password saving application.

Looking forward to Apple patching this up as soon as possible.

Replacing Ipassword in a way you wouldn't notice, unlikely. But if they're installed in he same sandbox and the developer of this app knows where to look, they would have access to the application files. Unless it is easy to know what sites the data refers too, it would be relatively safe. I don't know enough about the implementation to know for sure.

Wonder if Apple could make it so that some Apps can be locked down and can't be upgraded or tampered unless you unlock them. Very few apps need this, but passwords lockers probably do.

Accessing emails that are in the Apple Email sandbox, I don't think it is possible. They could if you have a non Apple app for your emails, like Gmail.



----------

Yup, a few people confirmed it. Basically just one pop up to install or not install and potentially one when running the app for the first time to trust the developer or not. But rather transparent profile installation and it seems it can stay on even if the app is removed without user knowledge essentially since in iOS 8 there's no way to see those profiles on the device itself.

CDM, many people actually said they saw the profiles on their phone. Not sure it is an universal thing (maybe it happens in certain use cases), but several people on this thread have stated they saw the profiles.

 

[C DM]

Replacing Ipassword in a way you wouldn't notice, unlikely. But if they're installed in he same sandbox and the developer of this app knows where to look, they would have access to the application files. Unless it is easy to know what sites the data refers too, it would be relatively safe. I don't know enough about the implementation to know for sure.

Wonder if Apple could make it so that some Apps can be locked down and can't be upgraded or tampered unless you unlock them.

----------



CDM, many people actually said they saw the profiles on their phone. Not sure it is an universal thing (maybe it happens in certain use cases), but several people on this thread have stated they saw the profiles.

Some profiles can be seen it seems, perhaps those that were there before iOS 8 or certain types of profiles (that were possibly installed in some particular way). But bundled profiles within application installations seem to no longer appear or be accessible/managed on the device. Some articles/discussions mentioned this, I've had personal experience with this just a week ago, and at least a few others in this thread have noticed this as well, including one person that was similarly unsure that this was happening and witnessed it just today after trying it out personally.

 

[JGRE]

Not sure if serious Was that a joke?

Well, actually not. The video shows an install of flappy bird, while a malicious Gmail app is being installed.
The video does not mention any other app that does the same as this malicious Gmail. Those who do not use Gmail in the first place have nothing to worry about, right?

Btw: I have never used Gmail anyways.

 

[B2k1977]

It really irks me how people use all these smarts to do harm rather than good. I guess crime does pay. Thanks from the rest of us just trying to make it in the world, *******s. I've been in the IT industry for 15 years, doing the best I can to try to do good things. These kind of things really upset me.

 

[C DM]

Well, actually not. The video shows an install of flappy bird, while a malicious Gmail app is being installed.
The video does not mention any other app that does the same as this malicious Gmail. Those who do not use Gmail in the first place have nothing to worry about, right?

Btw: I have never used Gmail anyways.

Clearly that is just an example to demonstrate it all, as it can basically be done with any third party app, as the article mentions.

 

[Roadstar]

Clearly that is just an example to demonstrate it all, as it can basically be done with any third party app, as the article mentions.

Indeed. The target could just as well be your banking app, for example.

 

[hagar]

iOS user to Android user:
Before: "iOS is far more secure"
Now: "iOS is far more secure unless you're stupid'

It really doesn't work like this. This is a huge vulnerability and the majority of users don't know the difference between links to the App Store, links to add a web site to the home screen and links to this kind of malware.

 

[roadbloc]

This is kind of a big deal. I hope Apple sees sense to fix this as quickly as they can. I can see a lot of people falling victim of this.

 

[Keirasplace]

iOS user to Android user:
Before: "iOS is far more secure"
Now: "iOS is far more secure unless you're stupid'

It really doesn't work like this. This is a huge vulnerability and the majority of users don't know the difference between links to the App Store, links to add a web site to the home screen and links to this kind of malware.

My father's 85 and he knows the difference and he was trained as an electrician in the 1950s, not a scientists...

They'll find a solution that keeps the provisioning while keeping those idiot users (who are more befuddled by technology than an octogenarian who grew up in a place with few cars in the 1930s... ) happy.

 

[TroyBoy30]

if your silly enough to click on an unidentified link in an unidentified message, then click on another link to install something, you asked for it

 

[69Mustang]

Well, actually not. The video shows an install of flappy bird, while a malicious Gmail app is being installed.
The video does not mention any other app that does the same as this malicious Gmail. Those who do not use Gmail in the first place have nothing to worry about, right?

Btw: I have never used Gmail anyways.

Did you only watch the video and not read the accompanying article? It clearly states Gmail was used as an example of of apps that can be duplicated. As in, outside of Apple's native apps, all other app store apps can be masqueraded.

Bolded: wrong.

 

[numlock]

Did you only watch the video and not read the accompanying article? It clearly states Gmail was used as an example of of apps that can be duplicated. As in, outside of Apple's native apps, all other app store apps can be masqueraded.

Bolded: wrong.

they couldnt have picked a worse example to demonstrate the issue

 

[OldSchoolMacGuy]

This so called "Masque Attack" malware by FireEye was presented by Stefan Esser at SyScan'13. Even then security researchers said it wasn't a big deal as it requires the user to willingly give their information and grant access.

 

[lke]

95% of ios users are safe.

The only way you can get affected by this is by installing an enterprise provisioning profile

 

[samcraig]

if your silly enough to click on an unidentified link in an unidentified message, then click on another link to install something, you asked for it

Another fantastic post by someone who fails to read the entire story and the thread - but instead, just tacks on his "opinion."

 

[D.T.]

Additional serious consideration: we’re talking about installing apps that haven't gone through the App Store review process. That means that code that wouldn’t pass Apple’s screening can now be deployed to the phone (doesn’t magically allow things outside the SDK, but there’s definitely some “gray area” you can explore when you don’t have to worry about App rejection)

they couldnt have picked a worse example to demonstrate the issue

I think it was a terrific example because it’s easily recognized (most people know Gmail/Google), and more importantly, people generally recognize the security risk if someone was to have access to your email (personal info, account data/account reset, contacts, phone numbers, etc.)

 

[pietrov]

In someways it's always the same old story.
Somebody asking you to install something from outside the app store...

 

[opfreak]

The App-Store-only approach is actually a great way to cure user stupidity and avoid actual security problems. It makes iOS less susceptible to attacks than OS X and Windows by itself. This kind of attack that abuses developer app distribution is very minor, and we haven't/won't see(n) much like it.

I'll say that my brother and I have gotten malware on Windows that was not our fault. Usually, out of nowhere, we suddenly have some browser toolbar/hijack installed that possibly installs other stuff on its own.

riight. it just magically installed itself. after you did something.

 

[macgabe]

I honestly didn't even know it was possible to install apps from outside the App Store, so I'm slightly concerned. I often seem to get messages on websites telling me to install the app - Yahoo, Marketwatch and Gmail, do it every time I visit. I guess I might well have clicked a link thinking it was legit and could only download an app from the Apple App Store.

 

[numlock]

Additional serious consideration: we’re talking about installing apps that haven't gone through the App Store review process. That means that code that wouldn’t pass Apple’s screening can now be deployed to the phone (doesn’t magically allow things outside the SDK, but there’s definitely some “gray area” you can explore when you don’t have to worry about App rejection)



I think it was a terrific example because it’s easily recognized (most people know Gmail/Google), and more importantly, people generally recognize the security risk if someone was to have access to your email (personal info, account data/account reset, contacts, phone numbers, etc.)

i mean considering the amount of posts in this thread that dismiss this as something to do with google.

its the worst company they could have picked since so many people here see red if they hear the word google.

but for the logical reasons you cite and for demonstrative purposes of course i agree.

 

[trueluck3]

95% of ios users are safe.

The only way you can get affected by this is by installing an enterprise provisioning profile

Yeah, that's what I thought. But in iOS 8.x, it will actually install certs from signed packages, without asking the user. You get one prompt before download, which is nothing more a Cancel or Install prompt, not a warning. Then you get one more prompt when you try to run the app. This prompt does say it's an untrusted source, but does not look anything close to the warning you used to get.

----------

I honestly didn't even know it was possible to install apps from outside the App Store, so I'm slightly concerned. I often seem to get messages on websites telling me to install the app - Yahoo, Marketwatch and Gmail, do it every time I visit. I guess I might well have clicked a link thinking it was legit and could only download an app from the Apple App Store.

If you click a download link and it flips open the AppStore, taking you out of Safari, it's safe (just make sure you're actually in the AppStore and not a spoofed website). If you click on a download link that gives you a system prompt to Cancel or Install, don't trust it.

 

[Amazing Iceman]

I wouldn't call this "an attack", but a trap. It's up to the user to be smart enough not to fall in it. And the rule is simply: don't download from third-party sites.

People make it a big deal, specially on the news, making believe that someone can get into your phone without the user's consent.

Nothing new here, the vulnerability is in the user, not in the product.

Apple will now have to be more cautious of who they issue Certificates for beta testing. If the "attacker" is a registered developer, then we are doom; but so is he once it's discovered.

 

[trueluck3]

I wouldn't call this "an attack", but a trap. It's up to the user to be smart enough not to fall in it. And the rule is simply: don't download from third-party sites.

People make it a big deal, specially on the news, making believe that someone can get into your phone without the user's consent.

Nothing new here, the vulnerability is in the user, not in the product.

Apple will now have to be more cautious of who they issue Certificates for beta testing. If the "attacker" is a registered developer, then we are doom; but so is he once it's discovered.

Yeah, but you just can't allow app's to install that way, not in an Apple ecosystem. All they need to do is bring back the Profile approval prompts for the user. Why they removed this is beyond me. They claim to want to remove users from the provisioning process, but at least ask for the device passcode first. If a user is installing a package from their enterprise or a dev, then they know they're going to have to deal with some prompts, not sure why Apple thinks they need to make that part easier than it already was.

 

[D.T.]

i mean considering the amount of posts in this thread that dismiss this as something to do with google.

its the worst company they could have picked since so many people here see red if they hear the word google.

but for the logical reasons you cite and for demonstrative purposes of course i agree.

Oh I see, yeah, that thinking is so far off my radar I must’ve subconsciously just ignored those posts ...

 

[derek4484]

I think its absolutely negligent that Apple has known about this very serious vulnerability since July 26, almost 5 months, and they have yet to still fix it and it hasnt even been fixed in beta 8.1.1. Despicable. I bet they've been trying to keep this hidden. so much for iOS being so secure.