Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
- Thread starter MacRumors
- Start date
- Sort by reaction score
Also - by doing so, are they suggesting that Apple shouldn't fix the issue?
Because from the posts of some, that's how it sounds. No big deal - move along.
Big deal or not - if a flaw is found in security, it should be fixed. Pretty much end of story.
interesting
Interesting video... but the bigger question is "How did John know to send a text message with a link to the malicious download app?"
Did John's phone get hacked? Did he purposely type this message? Who is John anyways?
I've had friends' facebook profile get hacked and received stupid IMs from them that clearly aren't legit. But the lesson here is that I had always thought my phone was secure enough that I could click their silly links just out of curiosity, expecting my phone to deny and fail at any attempt to download a malicious virus.
Apparently that is no longer the case.
Interesting video... but the bigger question is "How did John know to send a text message with a link to the malicious download app?"
Did John's phone get hacked? Did he purposely type this message? Who is John anyways?
I've had friends' facebook profile get hacked and received stupid IMs from them that clearly aren't legit. But the lesson here is that I had always thought my phone was secure enough that I could click their silly links just out of curiosity, expecting my phone to deny and fail at any attempt to download a malicious virus.
Apparently that is no longer the case.
We can mock people for being stupid all we want, but look after your parents who may not know better. I spend so much time removing malware off my parents' and inlaws' computers and sadly they never learn. I almost want to lock their computers down with myself as the admin.
So the message came from their company telling them to go download Flappy Bird? I would like to work at that place. Sounds like fun!An SMS or something else. It wouldn't be too hard, if you targeted someone specific, to send a well-made email to that person showing his friend, boss, ... address or something, or even hide behind an address like it@company.com requesting all users to update an app.
A "huge" vulnerability doesn't mean it can affect absolutely everyone.
Which is how a few app in the business world are installed, like from private app stores. and this isn't being stupid, this is doing what your company request you to do
You don't get my point, yes it can be done to any third party app, but you would need to have a malicious modified app to take its place. I doubt that there are that many malicious app that you could not spot with one eye closed from a mile away....
----------
I wrote the article, but find it hard to believe that the is a large number of masqueraded apps out there. Next to this the video is just stupid, because instead of flappy bird you get Gmail and nobody notices anything? I think it takes some serious programming to have multiple apps to behave in such a way that a users is unaware of its malicious nature. Usually, the 'good' apps already have sufficient bugs. I am not taking this too serious as you might have noticed: a storm in a glass of water.
The vitriol on this forum directed at people who simply don't know any better is disappointing.
Just like phishing and scams can be spotted from a mile away, except for those who actually fall for them since we all know there are unfortunately enough of those. And clearly things are put in place to deal with things of that nature as best as can be.
There is an issue here and no matter how likely that most people won't be affected by it it doesn't change the basic fact that the issue is present and given that it's related to security (again no matter how obscure it might be), it needs to be dealt with.
----------
Yup, that's really all it comes down to. All that extraneous discussions about people being stupid or needing to be careful still don't address the actual issue that is there which requires an actual software and/or policy fix from Apple.
This needs to be fixed (completely). In iOS 7 a web page could automatically redirect you to the App Store to look at an app. I never installed an app when confronted with this behavior, but I did somehow install Where's my Water a few times. I always wondered, what if this was actually a fake App store. Would/should the install succeed. In iO8 this is no longer possible.
Apple needs to fix this other hole by disabling this Enterprise feature by default.
Last edited:
Unfortunately the automatic redirects to the App Store can still happen even in iOS 8 (where that was supposed to have been addressed).
I also wanted to discuss the issue with this particular exploit. We've all been focused on the capability of installing an app, outside the AppStore and, a little, on how it can replace an AppStore app, stealing it's sandboxed data. But the point that's missed, is when you maliciously deploy the payload this way, replacing an existing app, it doesn't give you the second, untrusted developer warning. So you click the link, it asks if you want to Cancel or Install, you choose Install and, because it's "updating" an existing trusted app, is allowed to run, without being explicitly trusted. Do I have this right? That's what it looks like on the video.
Technically this isn't really a virus either. And realistically no actual OS is exploit free, just those that haven't really had many exploits discovered or actually used for something.
Must be a joke since I can't take that any other way...
----------
Its probably using the access outside the sandbox that the original app has. So, yes, that's a major issue. In fact, the fact that it can update an app that it can claim to be any app is the real vulnerability. Claiming that it is aa trusted app update could get it installed by people. Provisioning enables it by giving too much power to the IT guy wielding it.
Before IOS 6 you had to actually enter your pin to get updates (though I don't know if provisioning profiles bypassed this back then), but now you don't. So, it is using a function that simplifies your life to bypass security if the app that's updating is not the authentic true app. Maybe they should verify the certificate of the provisioned app against the original app certificate to see if it comes from the same source before updating silently (or updating at all).
Your statement just lets me know that you don't understand vulnerability at all. Or Android.
Apple inconveniences and limits users and costs developers endless thousands (sending some out of business) with their draconian application approval process, claiming it needs to because of security concerns.
Now it's obvious that a bad joke, and Apple doesn't really care about security, otherwise it would actually pay attention to security issues, and this wouldn't happen.
Just remember folks, Apple are making you pay top dollar for their phones, but deliver dross because they're more concerned with squeezing more profit out of developers and users.
Now it's obvious that a bad joke, and Apple doesn't really care about security, otherwise it would actually pay attention to security issues, and this wouldn't happen.
Just remember folks, Apple are making you pay top dollar for their phones, but deliver dross because they're more concerned with squeezing more profit out of developers and users.
Samcraig, I did not suggest that Apple should not figure out a way to close this loop, I merely pointed out that this threat is not as high as people wanted to make it be. Practically, the threat is relatively low. You'll need an extremely bad luck to get hit by this. Someone not only need the privileges to install an untrusted app over the web, but your explicit permission as well. Apple can also disable enterprise apps by revoking certificates. Just stick to downloading from the App Store, people will be fine.
My thinking as well. I'm one of the folks who are very unlikely to encounter this vulnerability since I'm just a regular consumer and only use the App Store.
Well I find the "argument" irrelevant. I never weighed in on how much of a threat or "big deal" it is. The point I and several others have made is that if there's a known security issue - it should be plugged. End of story. Why people are continuing to argue over who is vulnerable, and why a person might be stupid to have this happen to them are immaterial.
Here we go... several 100s more MBs of patch download
I must be at 10GB over the past four weeks or so - not complaining really
I must be at 10GB over the past four weeks or so - not complaining really
When one person blows problem like this out of proportion, another (normal ordinary user) person get panicky, the impression they get is that Apple is not secured anymore ("what should I do, will the patch coming quickly, I am scared"), whereas such things are further from the truth. My point is, not everything is black and white. Apple will fix this, but they also have priority. If a person (might be stupid enough) opened the door to invite such threat, everyone thought they are too vulnerable to this. That is simply not true.