Well, that was my other question, how are they (conceptually) obtaining the certs? Are they just hacking Apple IDs?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
- Thread starter MacRumors
- Start date
- Sort by reaction score
Well, that was my other question, how are they (conceptually) obtaining the certs? Are they just hacking Apple IDs?
Is this just related to the iPhones OR ones macs?
If i read this properly, this has been out for months and Apple has not fixed it yet.
What about the millions of apple users that will use "pirated" software off of various sites, or download torrents for them, etc?
Its one thing for them to find this out today BUT if its been going on since July as I read here, what might have taken place for them?
And don't tell me no one does it for far too many do........
But i am not sure if these are related to apps meant for the phone/iPad or computer??!!
If i read this properly, this has been out for months and Apple has not fixed it yet.
What about the millions of apple users that will use "pirated" software off of various sites, or download torrents for them, etc?
Its one thing for them to find this out today BUT if its been going on since July as I read here, what might have taken place for them?
And don't tell me no one does it for far too many do........
But i am not sure if these are related to apps meant for the phone/iPad or computer??!!
If you're familiar with enterprise provisioning, imagine they simply got rid of most user intervention, involving enterprise app installation: <TAP TO INSTALL> - "You sure?" - <TAP YES> - Done. If you're not too familiar, just trust that there are other ways to install apps in enterprise environments.
I'm not nor have I ever been in an 'enterprise environment' though it does seem like a fascinating starship.
No. The private key required for code signing is only stored in the keychain of the developer (or an admin in case of a team). This person is responsible for keeping the certificate secure. So it would either have to be stolen from that person's computer or a backup, or a corrupt team member could leak/sell it. It might also be possible for a black hat to fool Apple into issuing a distribution certificate by posing as a legit enterprise, but I don't know how thorough the vetting process is.
Well, as mentioned, it's right in the article (not counting a lot of discussion of it all in this very thread):
"...
Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.
..."
If someone has access to an enterprise distribution certificate issued by Apple and a matching provisioning profile, they can cryptographically sign an app bundle such that it will install on your phone. In contrast to regular provisioning profiles used for development work, enterprise profiles do not require pre-registration of the UDID of the devices, i.e. they work on any device.
How would they send it to my phone? Via Bluetooth? I keep Bluetooth off almost all the time except when I actually need to use a headset.
It might not. But it's not limited to corporate environments. Basically a developer of an app can have a beta version or some version with some fix in it that they would like to see if anyone wants to test and distribute that app in this manner where you click on an email link or an online link and get prompted to install such an app which in turn installs a profile (as that is needed to install an app like that), and that profile then could perhaps get in the hands of someone else who might misuse it and offer some other apps that pretend to be real apps. It's not to say that this would be something common of course, or that it would seem something that is all that likely to happen, but the vulnerability is there nonetheless, and might carry more of a potential impact for some and not much for many others.
You would install something from somewhere.
Again, most people won't, but surely quite a few just might. Look at all the people with all kinds of viruses, malware, adware, spyware, etc. on their computers--quite a bit of it is something that they inadvertently install themselves somewhere down the line, it's not usually something that just appears on its own without user interaction.
Most people don't fall for basic scams that are even very obvious, and yet some still do that all those "princes" or "generals" leaving millions of dollars to people still scam enough to make it worthwhile for them to do it.
Ok. Well it is as I figured at first. I personally am not going to be affected since I'm not in an environment where it can happen. But I feel sorry for those who are.
Again, it's not necessarily about being in any particular environment, even just regular people can install some app that is offered to them as a "preview" before it's officially released or through some "beta" program. Many won't be in those kinds of situations, but quite a few have been and will be. But it's not really related to being in any particular environment or anything like that.
No different from the steps one had to take go through to get Malware on Android. That didn't stop it from making headlines. Here are the steps for those that were unaware.
CLick a link to an APK via the web
CLick yes to allow "harmful or malicious apps"
Takes you to settings to check "allow unknown sources"
Uncheck "Verify Apps"
Read through permissions
Then click install
Click Open
Just like Malware on android, it is pretty limited to the asian market where googles play store is nonexistent. Seems to be the case here with iOS.
Pretty much. I can do it right now, as one of my dev accounts is an Enterprise account.
I can build an app that works like Gmail, bundle up all the same assets so it looks the same, and use the same Bundle ID, com.google.GMail, and if you clicked a link pointing the distribution, youd get a confirm, then an install (and it would replace your existing legit Gmail app).
More effort, but slightly more insidious - send a link that drops the user on a web page that looks like a legit App Store UI. The email wouldnt be some janky Click This, but an easily spoofed email from Apple with the App of the Week design.
They would try to get you to download it from a web page or open an email attachment.
And that's fine. What I was saying is that this can apply to anyone. Anyone can certainly choose what they do or don't do, but it's not limited to someone who jailbreaks, or to someone that uses their device in an enterprise environment or anything like that. It might not be something that you end up doing, as is the case for many other things I'm sure, but that doesn't mean much as far as what many others do or might do, or what that means as far as this issue being in existence and/or needing to be addressed in some way.
And in the iOS case it actually can even involve less steps and less warnings, especially as of iOS 8 it would seem.
Yeah, that's what I thought. Which is a pretty tough scenario to come accross, but certainly not impossible. The last resort and saving grace is the Apple remote shutdown / blacklist. So you combine that with the enterprise approval process, and you're pretty good, overall. But there's just no reason to remove the prompt. Unless, however, you can implement approved packages and certs, and then, through additional, explicit preferences in MDM / Apple Configurator, allow installation of approved packages, without a security prompt.
What if we make you feel special and offer a $100 Amazon gift card for your valuable feedback on these new features?