Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Alenore said:
An SMS or something else. It wouldn't be too hard, if you targeted someone specific, to send a well-made email to that person showing his friend, boss, ... address or something, or even hide behind an address like it@company.com requesting all users to update an app.
A "huge" vulnerability doesn't mean it can affect absolutely everyone.




Which is how a few app in the business world are installed, like from private app stores. and this isn't being stupid, this is doing what your company request you to do :rolleyes:
Click to expand...

So now, you have to know my boss/friend's email address, or the email address of where I work, in order to trick me into installing an app from an email or SMS? I mean, I can understand that this is a problem that Apple needs to fix, but come on. That's a lot of "ifs" to go through just to get me to install a mimicked app.

Also, what happens when I realize that the New Flappy Bird app installed over my Gmail app, and I delete it? Or, I simply restore my phone from a previous backup, before the app was installed? I mean, you did have to take me to a 3rd party website to install an app that never really installed. Anyone with common sense is going to know that something is up at that point.
 
Last edited:
This isn't a big deal. Until it is one.

Right now - not so much an issue. However, if Apple wants to maintain it's high level of integrity when it comes to security - they'll need to figure out a way to ensure side loading can't happen without a pop up or some warning.
 
mercuryjones said:
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Click to expand...

Apple can't fix stupidity...
 
Wow that sucks! it even install apps automatically from some random link without the need of an app store? No need to jailbreak to pirate apps people! This is the way to go....
 
It's somehow fixed in iOS 8.1.1. There will be a warning when you open apps that are not installed through App Store.

But it will not forbid signed apps to overwrite apps from App Store, because it is designed to work like this, I think it's for internal beta testing and enterprise purpose.
 
mercuryjones said:
So now, you have to know my boss/friend's email address, or the email address of where I work, in order to trick me into installing an app from an email or SMS? I mean, I can understand that this is a problem that Apple needs to fix, but come on. That's a lot of "ifs" to go through just to get me to install a mimicked app.
Click to expand...

We just had an article saying iOS was like 60% of phone activations in businesses, right? Some companies could use that to steal datas from competitors, or stuff like that.

Yes this is a pretty bad vulnerability, maybe it doesn't affect everyone (obviously not since you need provisioning profiles and stuff like that installed). Like, just make gmail or any other app crash.
The average user would delete it and reload it, but the malicious code would have been executed without the user even knowing something bad happened.


(But hey, since people seem to be obsessed with China/NSA, maybe they used that thing for years to steal all our datazz :D)
 
TheBuffather said:
This is a pretty legit vulnerability. Cunning.
Click to expand...

Yeesh. I previously trusted iOS enough to do banking on my phone whereas previously I'd only do such in a VM with a fresh cloned updated Linux distro, then delete the VM. It's not this vulnerability or any of the previous that have made me lose my trust. It's the pattern that's showing now, making me wonder what vulnerabilities are there still, but haven't yet been discovered.
 
You mean there isn't any kind of simple MD5 check on app file downloads? Apple can't phone home every time an app gets installed and see if the file is valid? I mean isn't that sort of Installing Stuff 101?
 
What else should we say about those dumb claims? I have to click "install" to install the app from an unknown source to get iOS devices infected? How many people do that? LOL. It's like you have to open the front door so that the thief can come in and steal your properties...So the advice is: Don't Open The Front Door OR Don't Click On The "INSTALL" From Unknown Sources. Is that too hard to understand by a normal people?
The researchers just don't want to give Apple a break by creating some BS situations like these....Just in case everyone forgets: EVERY system regardless What OS WILL be infected if a Malware is installed. The title should say:

"Masque Attack' Vulnerability Allows Malicious Third-Party MOBILE Apps to Masquerade as Legitimate Apps"
 
This remind me how some ads install some stupid game apps on my phone without me even notice it. I think hackers can use ads to use such attack. Stop serving ads appl!
 
ilfn143 said:
not everyone is a computer wiz. i see lot of grandmas/pas out there using iphone. if it's a hole fix it.
Click to expand...

Then these deserve to get burnt. Wait...let me reassess it: Grandmas/pas don't know how to install apps and use apps either...This's even more irrelevant.
 
fallenjt said:
What else should we say about those dumb claims? I have to click "install" to install the app from an unknown source to get iOS devices infected? How many people do that? LOL. It's like you have to open the front door so that the thief can come in and steal your properties...So the advice is: Don't Open The Front Door OR Don't Click On The "INSTALL" From Unknown Sources. Is that too hard to understand by a normal people?
The researchers just don't want to give Apple a break by creating some BS situations like these....Just in case everyone forgets: EVERY system regardless What OS WILL be infected if a Malware is installed. The title should say:

"Masque Attack' Vulnerability Allows Malicious Third-Party MOBILE Apps to Masquerade as Legitimate Apps"
Click to expand...

You're missing the point. How it gets installed is less important than the fact that it CAN be installed this way in the first place.

You're focusing on the wrong issue.
 
Traverse said:
Hmmm, these malicious users are crafty and must really have time on there hands to come up with these workarounds.

Still, I delete spam messages, don't open strange emails, and never click ads on any webpage so I'll roll the dice and keep using my iOS devices. ;)
Click to expand...

I'm the same way, learned my lesson years ago with Windows about side loading or links from emails etc..:cool:

Google Gmail, is anyone surprised its not secure at all?:eek:

Also, if I understand this correctly, the direct links be it email or SMS, still has you down load outside of App Store? If that's correct, most smart people will not have a problem at all.:cool:
 
Who installs apps from non official app stores?? I never did that even when I had an Android.

Also more importantly... Why would you answer a text/email from someone you do not know?
 
This is a serious security concern!

The current example showing how to exploit it may seem like you have to be an idiot to do it, but don't assume that's the only way to use it. What about a legit app in the App Store that's a fun game but purposely designed to take advantage of this exploit. It does so by promoting a new version of the game within the app and prompts the user to install it, which takes advantage of this exploit by launching a hyperlink after tapping 'install'.

I doubt Apple is actively checking for things like that when they review them, as you can already have buttons that load webpages within apps.
 
rsocal said:
I'm the same way, learned my lesson years ago with Windows about side loading or links from emails etc..:cool:

Google Gmail, is anyone surprised its not secure at all?:eek:

Also, if I understand this correctly, the direct links be it email or SMS, still has you down load outside of App Store? If that's correct, most smart people will not have a problem at all.:cool:
Click to expand...

I learned mine years ago, just before I became technically literate. I was on my old HP Compaq and went to dictionary.com in IE 6 or something and got a pop up that looked like a vista notification. I selected it and got a virus installed on my system.

Since that day I vowed to be technologically proficient. Now, years later, I'm the tech support guy in my family with multiple computers and OSes. :cool:

My how times have changed. That's when I decided to give OS X a shot and found I preferred over W7 and especially Vista. I like W8.1, but I still prefer OS X.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back