No thanks. I never go for offers like that. If it looks to good to be true it usually is.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
- Thread starter MacRumors
- Start date
- Sort by reaction score
No thanks. I never go for offers like that. If it looks to good to be true it usually is.
I've responded to texts from people I didn't know. Usually they legitimately sent the text to the wrong number. I could either let them know they've made a mistake, or let messages come in for hours going on about their love life until it turns to anger because they think their lover is ignoring them.
Some have been appreciative of the correction before they spilled to much intimate detail. While others thought their crush was being deceptive by stating they had a wrong number. It's sometimes amusing what people say in texts.
I remember one claiming to be my Latin lover. They initially were upset that they thought I was rejecting them. But rather than get texts for hours with them spilling their hearts out, I'd rather respond and let them know they're sharing details with the wrong person.
I've also gotten messages from people I met a long time ago and weren't in my contact list. Answering messages from unknowns can reveal someone you do know or once knew and may not have had in your list. Responding to one of those is how I came to be reconnected with someone very important to my life now.
Honestly, that truly is the point here. Anyone of the best, most tech savvy users can inadvertently click such an unthreatening prompt.
You have to click on a few prompts... Inadvertently? And then not realize one of your Apps got wiped and didn't get what you clicked for. On the other side, someone needs and enterprise profile signed by Apple (not revoked).
They probably need to fix the installation of one app overwriting an other without the knowledge of the user (so someone at least don't get one of their apps replaced maliciously), but for the rest, not sure what Apple can do more than their doing now. Even if they exposed the profiles to the users and got them to click to accept... It would still just one more click the users would possibly do... This wouldn't stop them.
Actually lots of legitimate betas out there for different apps, so nothing really wrong with people deciding to use those (with or usually without any compensation). Generally nothing that looks too good for most of those.
Nope not me. I didn't even go for the Tapatalk beta. I don't do betas on my phone. Period. I'm much pickier about what goes on my phone because I need it to work as a phone and not doing anything that would make it less stable or reliable.
With iOS 8 one or at most two prompts, and they might very well be fully expected if someone is installing some beta or preview app, which is generally quite legitimate and quite a few people do.
Aside from fixing the whole installation over another app part, there's no need to hide profile installations or management of them from the users as has been the case prior to iOS 8. Even if it's just one extra prompt, it's still something that tells you something else aside from the app (the profile) was installed so you would at least know and see that, and often to install the profile you have to (or at least had to) enter your passcode too, so there's that deterrent as well.
----------
Sure, again, we understand, not you, but again, quite a few others. All of this isn't to say that you would do anything, it's to point out that with these things there's no particular environment to be in and no particular "too good to be true" catch that would necessarily be obvious--it can be part of fairly regular things that at least some people do.
Last edited:
So we have another malware that will utilize Apple approved technical approaches to install a fake Gmail app, which will ask your permission to trust an untrusted certification, so that it can finally do something bad.
Wow the world is coming to an end.
Wow the world is coming to an end.
Nothing has to come to an end for there to still be an issue that needs to be addressed. Plenty of less obvious and even less problematic security issues get discovered everywhere all the time and get patched. The more secure a system is typically seen to be and is made out to be the more discussion there would typically be for any exploit that could be found for it. Doesn't mean the world is ending or anything like that, but it still means there's an issue that people should know about and more importantly that should be addressed.
Heh..the world is coming to an end but not because of this stuff. Climate catastrophe and Ebola or some other plague will wipe out humanity soon enough.
While I agree that it's a difficult attack vector, your still thinking like a techie. I have clients that agree to every warning under the sun, just to install that $100 program they found, for free, on this "great site called warez.com." You see where I'm going.
The app getting overwritten is a special little extra, that I haven't ranted about yet. What makes this exploit especially alarming is the fact that the system treats it like an upgrade serving up whatever data may have been cached. So having some random payload installed from the web is one thing, having it slip into another app's sandbox is a whole new issue.
Last edited:
So this is proof of concept vs. an actual exploit that is out in the wild? When you install an enterprise app there are no prompts asking if you want to provision first and no alerts afterward? This exploit goes beyond regular enterprise app permissions and gets root access? If no then how does it intercept email and texts? Thanks.
You first have to install the enterprise profile (click on a link with a stolen cert signed by Apple (that hasn't been revoked) for your enterprise), then you have to click another link and then accept the installation of the app of name X.
One of the issue is that app name X replaces App Y without telling you it does that (because it was claiming it was app X). So, if you use app Y, well if its agile enough to imitate it, you could give info your not supposed too to that app (they're probably only imitating the logging screen anyway to get your password).
Of course, since app X is now installed as App Y, you actually didn't get App X at all. That should give you a clue there is a problem... That and probably seeing App Y with the download bar on its icon when it shouldn't have it.
I'm curious how much data this vulnerability could allow access to. The quote mentioned cached emails and potentially login-tokens, would it also include other cached data?
Let's say the attacker replaced something like 1Password or other password saving application.
Looking forward to Apple patching this up as soon as possible.
Let's say the attacker replaced something like 1Password or other password saving application.
Looking forward to Apple patching this up as soon as possible.
It seems that the profile can get installed transparently essentially simply as part of the app installation, at least in iOS 8.
Thanks for the info! So the install could really occur just like in the video? It is misleading that the video shows that the masquerading apps instantly have access to all your info like email and texts without entering your username or passwords.
When iOS's SA/QC teams even failed to get the native apps work right, what can we expect about defending (or fixing) aasholes? I mean backholes.
I didn't just disappoint about iOS 8, it is indeed the first version of iOS I hate.
If we can vote for the Apple CEO, I vote Elon Musk over Tim Cook. At least he sounds much visionary in future technology, as a contrast to Tim's shortsighted U2 and Beat business decisions...
I didn't just disappoint about iOS 8, it is indeed the first version of iOS I hate.
If we can vote for the Apple CEO, I vote Elon Musk over Tim Cook. At least he sounds much visionary in future technology, as a contrast to Tim's shortsighted U2 and Beat business decisions...
You're sure that it doesn't need a separate click? Since the profile install doesn't need user input if the certificate is OK, I guess it could get installed at the same and then you'd only need to click twice instead of 3 times.
I'd wait for someone to confirm that first.
But, as I said, it wouldn't matter much anyway, people would click anyway even if the profile had a big warning in bright red letters
.Ideally, provisioning should probably be turned on by company IT on a phone by phone basis by putting a corporate certificate specific to the phone before being given to the user. A phone should only accept certificates from specific companies or not at all (disable provisioning).
----------
When iOS's SA/QC teams even failed to get the native apps work right, what can we expect about defending (or fixing) aasholes? I mean backholes.
I didn't just disappoint about iOS 8, it is indeed the first version of iOS I hate.
If we can vote for the Apple CEO, I vote Elon Musk over Tim Cook. At least he sounds much visionary in future technology, as a contrast to Tim's shortsighted U2 and Beat business decisions...
7 is almost like 8 from a user point of view, so not sure what you're talking about. Elon Musk is a gasbag who is one big bad decision from going bankrupt. Not sure I'd want that at Apple. As for tech, Tesla is much better at marketing itself than at tech...
JGRE said:
If you're willing to go down that route, your second point should be "do not use any apps not included in a stock iOS installation". Gmail was just an example, it's all non-Apple apps that are vulnerable to this.
Last edited:
Yup, a few people confirmed it. Basically just one pop up to install or not install and potentially one when running the app for the first time to trust the developer or not. But rather transparent profile installation and it seems it can stay on even if the app is removed without user knowledge essentially since in iOS 8 there's no way to see those profiles on the device itself.You're sure that it doesn't need a separate click? Since the profile install doesn't need user input if the certificate is OK, I guess it could get installed at the same and then you'd only need to click twice instead of 3 times.
I'd wait for someone to confirm that first.
But, as I said, it wouldn't matter much anyway, people would click anyway even if the profile had a big warning in bright red letters
Ideally, provisioning should probably be turned on by company IT on a phone by phone basis by putting a corporate certificate specific to the phone before being given to the user. A phone should only accept certificates from specific companies or not at all (disable provisioning).
----------
7 is almost like 8 from a user point of view, so not sure what you're talking about. Elon Musk is a gasbag who is one big bad decision from going bankrupt. Not sure I'd want that at Apple. As for tech, Tesla is much better at marketing itself than at tech...