Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

macenied said:
Bye, bye malware and virus free Apple world. What the haters have now against Windows, the beloved "intuitive UI" or that "it just works" ? It does not.
Click to expand...

The App-Store-only approach is actually a great way to cure user stupidity and avoid actual security problems. It makes iOS less susceptible to attacks than OS X and Windows by itself. This kind of attack that abuses developer app distribution is very minor, and we haven't/won't see(n) much like it.

I'll say that my brother and I have gotten malware on Windows that was not our fault. Usually, out of nowhere, we suddenly have some browser toolbar/hijack installed that possibly installs other stuff on its own.
 
Last edited:
dannyyankou said:
I've yet to see a thread/post on Macrumors from someone claiming to be victim to a vulnerability/virus.
Click to expand...
There are definitely threads that circulate often though everyone writes them off as something else going on or some other user issue and nothing more, so they don't end up getting much discussion/attention.

That said, whether or not people who might have issues related to this might actually post on some online forum doesn't change any of the underlying facts that the issue exists and should be dealt with.
 
I’m reading along getting more and more worried until I read “users can protect themselves by not installing apps from outside the App Store.”

Whew. I’m good.
 
C DM said:
The first block also talks about them being installed on their own as well without interaction with the user or even any notification to the user, just as it talks about the user not having a way to see them or manage them (short of using Xcode). It talks about all aspects of profiles, not just removal/management, but also installation.

The second part from Apple talks about Xcode, but the part that's important there which is called out separately on its own, as I mentioned, is that profiles can be installed simply with the app as it gets installed (basically without any user interaction or even knowledge necessarily).

And, again, as I mentioned earlier, I have had personal experience with this just a week ago (which is how I came across these various articles/discussions about it)--with no profiles of any sort on my iOS 8.1 device I was able to install a beta application from a link in an email that installed the app with no prompts or references to any profiles or anything like that and then I was able to see the installed profiles (two of them got installed for that particular app) via Xcode as there was no way to do it on the device itself. So, that part of it all is definitely quite real.
Click to expand...

So you're saying you had a fresh device, with iOS 8.1, not from an iTunes or OTA upgrade, and not restored from a backup, and never connected via USB to your Xcode box? And who's beta app was it, your own? That would be crazy, because, again, the documentation you are referring to is for devices that are already provisioned via Xcode or Apple Configurator (Trusted USB), or an MDM server like OS X Server Profile Manager.
 
ksuyen said:
In fact, it has a name called "Jailbreaking". How it get installed is as important as it CAN be installed. Do it on your own risk. The moment an iPhone can't be jailbroken, is the moment when all of these problem vanish.
Click to expand...

Except this has nothing to do with jailbreaking. Because you don't need a jailbroken device for this flaw in security to be taken advantage of.

Regardless - are you suggesting that Apple shouldn't figure a way to close this loop? This flagged issue should go unsolved?

Personally I disagree
 
redshovel said:
This is a scam too???

Waveapp.im

Got an email with a link that downloads the Wave email app to iOS that then that requires Google Mail login. Was to suspicious so didn't give my login.
Supposedly a new app by the creators of Seedmail

Email had my name and was offering a beta test place as a previous seed mail user, which I was.
Click to expand...
Doesn't seem like a scam: https://forums.macrumors.com/threads/1816857/ But basically one of fairly straightforward real world examples of where something like this can potentially come into play.
 
trueluck3 said:
So you're saying you had a fresh device, with iOS 8.1, not from an iTunes or OTA upgrade, and not restored from a backup, and never connected via USB to your Xcode box? And who's beta app was it, your own? That would be crazy, because, again, the documentation you are referring to is for devices that are already provisioned via Xcode or Apple Configurator (Trusted USB), or an MDM server like OS X Server Profile Manager.
Click to expand...
A newly restored device without any backups that was used for testing that had no profiles or provisioned with anything in any way. In that case it was an invitation beta for a calendar app from a developer and an app that was never used on that device before. You can certainly choose to look for holes in all of this, but this is how it ended up working with iOS 8, and what the information in various articles/discussions seems to confirm (as it goes beyond those specific things that you mention).

Things were changed with iOS 8 where profiles can be installed simply as part of installing an app and there is no way to view/manage/remove them from the device itself aside from connecting it to Xcode and doing it from there. And while that might be simpler for the end user it's certainly not more secure and gives the end user less information/control.

----------
Keirasplace said:
Didn't someone on this thread just confirm the profiles were visible? So, why would yours not be visible?
Click to expand...
Potentially different types of profiles and/or different ways of installing them. Something is definitely at least somewhat different about it all in iOS 8.
 
trueluck3 said:
Why in the world would you install a profile from a random site, with an .RE TLD no less. Don't mean to be rude, but that's a head smacker...definitely delete it.
Click to expand...

It came from the official app store. I thought Apple approved this app? I'm very confused now. How do I know that this is or isn't legit. I am very upset.

Here's the link again in case anyone knows what I've maybe gotten myself into?

Disconnect Mobile - Privacy and Security by Disconnect
https://appsto.re/us/1dLF0.i
 
This is like saying locks on your front door have a security flaw because anyone could knock and say they are the police or fake who they are to get you to open the door.

Doorgate
 
trueluck3 said:
So you're saying you had a fresh device, with iOS 8.1, not from an iTunes or OTA upgrade, and not restored from a backup, and never connected via USB to your Xcode box? And who's beta app was it, your own? That would be crazy, because, again, the documentation you are referring to is for devices that are already provisioned via Xcode or Apple Configurator (Trusted USB), or an MDM server like OS X Server Profile Manager.
Click to expand...
Provisioning profiles can be embedded into the app bundle. That has always been possible. What seems to be new is that iOS 8 is not prompting the user separately for installing the profile anymore.
 
C DM said:
A newly restored device without any backups that was used for testing that had no profiles or provisioned with anything in any way. In that case it was an invitation beta for a calendar app from a developer and an app that was never used on that device before. You can certainly choose to look for holes in all of this, but this is how it ended up working with iOS 8, and what the information in various articles/discussions seems to confirm (as it goes beyond those specific things that you mention).

Things were changed with iOS 8 where profiles can be installed simply as part of installing an app and there is no way to view/manage/remove them from the device itself aside from connecting it to Xcode and doing it from there. And while that might be simpler for the end user it's certainly not more secure and gives the end user less information/control.

----------

Potentially different types of profiles and/or different ways of installing them. Something is definitely at least somewhat different about it all in iOS 8.
Click to expand...

I stand corrected, just tried it myself. Although, it did ask me to trust the developer first, before I could launch the app. So while most of us here, having in-depth technical discussions, would not likely run into this issue, I know plenty of "grandpas" and "uncles" that will simply say "Sure, I trust 'em, I was just at their website!", and that's no good. Definitely something that needs to be corrected, and they must bring back some method of, at least, viewing installed profiles. Feeling' pretty flooded right now... :eek:

----------
Rigby said:
Provisioning profiles can be embedded into the app bundle. That has always been possible. What seems to be new is that iOS 8 is not prompting the user separately for installing the profile anymore.
Click to expand...

Yeah, just tested it myself. Not sure what in the world is going on, but with the unprecedented amount of bugs still found in iOS 8.1 (and even still in 8.1.1) and in Yosemite, I have to imagine this is on the fix list. Apple's having a bad year for software builds. The enhancements are great, but right now they're only concept, as they simply do not work...but that's besides the point. This method, of installing profiles, simply can not exist and must be corrected.
 
trueluck3 said:
I stand corrected, just tried it myself. Although, it did ask me to trust the developer first, before I could launch the app. So while most of us here, having in-depth technical discussions, would not likely run into this issue, I know plenty of "grandpas" and "uncles" that will simply say "Sure, I trust 'em, I was just at their website!", and that's no good. Definitely something that needs to be corrected, and they must bring back some method of, at least, viewing installed profiles. Feeling' pretty flooded right now... :eek:
Click to expand...
Yeah, there was that prompt there, but nothing related to a profile, and nothing to actually see a profile later (and remove it) on the device itself. Basically similar to what various screenshots from the FireEye blog entry about this Masque Attack show: http://www.fireeye.com/blog/technic...ue-attack-all-your-ios-apps-belong-to-us.html
 
iolinux333 said:
It came from the official app store. I thought Apple approved this app? I'm very confused now. How do I know that this is or isn't legit. I am very upset.

Here's the link again in case anyone knows what I've maybe gotten myself into?

Disconnect Mobile - Privacy and Security by Disconnect
https://appsto.re/us/1dLF0.i
Click to expand...

Oh, my bad, LoL. That's an AppStore short link, you should be fine.

----------
C DM said:
Yeah, there was that prompt there, but nothing related to a profile, and nothing to actually see a profile later (and remove it) on the device itself. It's basically the experience that is shown on the FireEye blog entry about this Masque Attack: http://www.fireeye.com/blog/wp-content/uploads/2014/11/Untitled1.jpg
Click to expand...

Yeah, just crazy. WTF are they thinking? I mean, that has to be an oversight right? They didn't really intend to allow side loads without a dam password, did they? Even if they fixed it so that it wouldn't overwrite AppStore apps, they need to bring back the in-your-face profile installation prompt, followed by the PIN / passcode requirement. I mean, really...WTF??
 
FlatlinerG said:
This is like saying locks on your front door have a security flaw because anyone could knock and say they are the police or fake who they are to get you to open the door.

Doorgate
Click to expand...

So you think Apple should just leave iOS alone and not fix this?

----------
trueluck3 said:
Oh, my bad, LoL. That's an AppStore short link, you should be fine.

----------



Yeah, just crazy. WTF are they thinking? I mean, that has to be an oversight right? They didn't really intend to allow side loads without a dam password, did they? Even if they fixed it so that it wouldn't overwrite AppStore apps, they need to bring back the in-your-face profile installation prompt, followed by the PIN / passcode requirement. I mean, really...WTF??
Click to expand...

Pretty much my point. It has nothing to do with whether or not someone is "stupid" - it simply shouldn't work this way.
 
iOS is targeted at non computer users

wxman2003 said:
So this basically affects stupid people who click on links to sideload apps.
Click to expand...

Yes 95% of us who are computer literate would be aware enough to detect a phishing attempt to side load an app and not be vulnerable to this. The big problem is that iOS devices are being marketed to and used by a vast majority of users who use their devices like they use the remote on their TV's, if something pops up on the screen they are likely to just click on it.

Its not that they are stupid but more a result of the reality that Apple has done such a great job of masking the fact that our phones and iPads are in fact computers and can be exploited just like any computer. They have an obligation to proactively protect their customers from themselves against an obvious and dangerous vulnerability like this.

This accessibility has enabled folks like my 85 year old mother to use a computer even though she is terrified of them. I would not consider her stupid for falling prey to something like this given how may times she's been told how safe it is.
 
Isn't this something that would affect jailbroken users only? As a non- jailbroken user the only source of apps is the App Store. Wouldn't it be up to Apple to make sure that apps are safe?
 
Dilbert3b said:
Yes 95% of us who are computer literate would be aware enough to detect a phishing attempt to side load an app and not be vulnerable to this. The big problem is that iOS devices are being marketed to and used by a vast majority of users who use their devices like they use the remote on their TV's, if something pops up on the screen they are likely to just click on it.

Its not that they are stupid but more a result of the reality that Apple has done such a great job of masking the fact that our phones and iPads are in fact computers and can be exploited just like any computer. They have an obligation to proactively protect their customers from themselves against an obvious and dangerous vulnerability like this.

This accessibility has enabled folks like my 85 year old mother to use a computer even though she is terrified of them. I would not consider her stupid for falling prey to something like this given how may times she's been told how safe it is.
Click to expand...

Right.. But panic is not an option is it? Seems it's constant drama here (and not just on this subject, any subject). Even as phishing attacks go, this one is very sophisticate on the attacker side and needs the user itself to be more trusting than the usual naive one.
 
trueluck3 said:
Yeah, just tested it myself. Not sure what in the world is going on, but with the unprecedented amount of bugs still found in iOS 8.1 (and even still in 8.1.1) and in Yosemite, I have to imagine this is on the fix list.
Click to expand...
I think it is intentional. They don't want to confuse employees who are installing their company's apps with technical details. But I agree it's way too easy now.
This method, of installing profiles, simply can not exist and must be corrected.
Click to expand...
Apple probably think they can rely on the policies and the application process that enterprises go through before a distribution certificate is issued. But I'd guess that most of the certificates that are used to deploy malware are simply stolen.
 
samcraig said:
So you think Apple should just leave iOS alone and not fix this?

----------



Pretty much my point. It has nothing to do with whether or not someone is "stupid" - it simply shouldn't work this way.
Click to expand...


Absolutely. This has nothing to do with people making bad choices, it has to do with the wrong choices bring placed, haphazardly, into the hands of the wrong people...mainly, end users. I certainly don't think this is the end of security for iOS, but it is a massive speed bump. I seriously fail to see the thought process of such a move, amidst all the recent security breaches of late. Which is why I have to think it's just another bug, in a sea of iOS bugs, and somehow they were trying to execute something else and failed.
 
Zetaprime said:
Isn't this something that would affect jailbroken users only? As a non- jailbroken user the only source of apps is the App Store. Wouldn't it be up to Apple to make sure that apps are safe?
Click to expand...
If you read the article and the thread you will see that it has nothing to do with jailbreaking and there's more to iOS apps than something from the App Store or through jailbreaking.
 
C DM said:
If you read the article and the thread you will see that it has nothing to do with jailbreaking and there's more to iOS apps than something from the App Store or through jailbreaking.
Click to expand...


How, exactly. I know of no other way to get apps installed or updated except via the App Store. It's not like my Mac or Android tablet where one can get apps from anywhere and from sources which might not be reputable. I could see it happening that way.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back