'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

[MH01]

So this basically affects stupid people who click on links to sideload apps.

i have a laugh when people like yourself get hacked and don't even realise it....

Just cause someone is not tech savvy , does not make them stupid.

And after years of apple telling people they are safe, and only PCs and android have issues, why on earth should they be worried about a link to an App. Think before posting!

 

[X-X]

What world did you come from not getting apps from Apple App store?

Enterprise apps are not served via App Store.

 

[age234]

I didn't even know it was possible to install apps without the App Store, outside of jailbreaking.

 

[ginkobiloba]

Seems youd have to be pretty stupid to fall for all the things you'd need to fall for to make this work.

Yeah.. It's never the hacker's fault, they are good decent people. The low-life regular-Joe bastards that fall into the trap, on the other hand

amazing..

 

[snorkelman]

So now, you have to know my boss/friend's email address, or the email address of where I work, in order to trick me into installing an app from an email or SMS? I mean, I can understand that this is a problem that Apple needs to fix, but come on. That's a lot of "ifs" to go through just to get me to install a mimicked app.

Also, what happens when I realize that the New Flappy Bird app installed over my Gmail app, and I delete it?

It only takes one stupid person in your workplace to fall for it, after that they have access to that persons contacts.

Targetting the contacts found on that phone, who all share the same email domain name would then be a good place to start phase II

There is no malicious flappy birds app installed over Mr Stupids gmail app thats just the carrot to get him to bite.

Instead theres a malicious version of Gmail installed over the top of his existing Gmail when he sideloads their app.

Stupid at your company gets tempted in with the promise of flappy birds, at end of the download he just assumes it failed as theres no sign of it on his phone.

Those folks whos contacts were harvested from Mr stupid dont have to get flappy birds dangled in front of them - They could get some pompous official sounding email (supposedly from someone in IT or HR) instructing them to download a trial build of a new company inhouse iphone app.

One thats been made to 'better manage company holiday entitlements and bonus pay' or some other waffle like that. Again what they end up wth is a malicious Gmail over their ordinary Gmail, and again they assume the corporate app (of which theres no sign of on their phone) just failed to install due to some issue or other.

 

[kolax]

I think Apple App store would still have to approve update? But I would like to know answer for sure?

No because it downloads from the hyperlink you clicked on, not by being installed via the App Store as an update.

 

[Rogifan]

What world did you come from not getting apps from Apple App store?

I don't think enterprise specific apps are installed via the App Store. At least I've never done it that way.

 

[samcraig]

Apple better reading this and take it serious to patch asap. This doesn't make any sense since such hacks can only happen in the jailbreak community but now it spread to non-jailbreak device as well. I just delete my gmail app right after reading this post.

You realize that the mention of gmail was just an example. It could be ANY of your apps that Apple themselves didn't pre-install.

 

[AlanShutko]

So, it sounds like the exploit is not the ability to install an application on the device. That happens because the device has an enterprise provisioning profile installed.

If the user has an enterprise provisioning profile installed, then an attacker can get the user to install an application which replaces an app already installed on the device. That application will need to be signed with the key used to generate the provisioning profile.

In other words, this will only work if:

1. The attacker gets an Apple Enterprise Developer account and creates a provisioning profile
2. The attacker somehow convinces the user to install the provisioning profile
3. The attacker then convinces the user to install an app through a link using ad-hoc distribution

Yes, this method can be used to distribute jailbreak apps without jailbreaking the device, and has been used in the past by emulators. The problem with relying on this approach is that Apple revokes the certs, and then you can't use them for an install.

 

[rsocal]

They are using gmail as an example. They could use anything else.

Also, es it's outside of the app store, and you're aware every single company network make their user download apps outside of it right ?

"While the attack cannot replace stock Apple apps like Safari and Mail"

This is what maybe confused me, I'm guessing iCloud mail is safe?

 

[samcraig]

"While the attack cannot replace stock Apple apps like Safari and Mail"

This is what maybe confused me, I'm guessing iCloud mail is safe?

Nahh - it was your hatred for all things google I tease...

 

[Phil A.]

The main point is that entrprise provisioning is being abused for malicious intent and many are unlocking a back door on their devices without them even knowing it. :|

^^
Absolutely this. Apple should be far, far more careful about how they hand out enterprise provisioning certificates and it shouldn't be possible to overwrite an app that was installed from the App store with an enterprise provisioned one.

 

[PlutoPrime]

If you're dumb enough to fall for this attack, it's likely that you don't have much money or valuable intellectual treasures to be stolen in the first place, and your email content might as well be public domain.

With that said, I think apple should either disable enterprise installations by default, or provide a scarier prompt (like the one on OS X) when installing apps outside of App Store.

 

[samcraig]

^^
Absolutely this. Apple should be far, far more careful about how they hand out enterprise provisioning certificates and it shouldn't be possible to overwrite an app that was installed from the App store with an enterprise provisioned one.

Well said and the thrust of what I was saying before. People are concentrating on the wrong details...

 

[rsocal]

No because it downloads from the hyperlink you clicked on, not by being installed via the App Store as an update.

If I only update from App Store (That's how I do all updates), is this a problem?

I update manually, I've always liked reading what the update is first.

 

[powertoold]

I don't get it. I've never seen a webpage load with the option to install an App on your device?

I thought the only place you can install Apps is from the App Store, and through Xcode, and definitely not through any function in Safari?

 

[0xyMoron]

Someone's got a lot of unread emails.

Or an E-mail address made in the 90s.

 

[rsocal]

Nahh - it was your hatred for all things google I tease...

I guess you got me there.....

 

[brianvictor7]

Every COMPANY in the world. Think before posting.

If you are referring to companies directing their employees to download software from their own company websites, then you are correct that some companies do this. This should not be a problem. I'd say someone is clicking links they ought to know better than to click.

But it seems we should never underestimate the power of ignorance. Hustler 1337 built on your point when he said,

The main point is that entrprise provisioning is being abused for malicious intent and many are unlocking a back door on their devices without them even knowing it. :|

 

[MH01]

Apple can't fix stupidity...

right, cause before this article you knew that the exploit existed, and would have never tried to download an app outside iTunes...... Apple also cannot fix the hypocrisy that some fans exhibit

 

[allanfries]

Old redundant news! Who would download an app from some random website? I'm sure there's many who do! Personally if its not from apples APP store, I'm not interested. Only common sense here.

 

[ginkobiloba]

If you're dumb enough to fall for this attack, it's likely that you don't have much money or valuable intellectual treasures to be stolen in the first place, and your email content might as well be public domain.
.

If you're dumb enough to not understand how this can be used against normal people, you've never been in contact with normal people ( outside computer programmers, non-anime individuals, non-manga women, non-virtual worlds )

 

[djgamble]

This isn't some big security hole. Quit acting like it's a huge deal other than for those that are too stupid for their own good. If you're an idiot and install unconfirmed profiles, that's your own fault. It's no different than asking you for your computer password and then being surprised when someone installs what they want with the password you've just given them. You've been able to do this on iOS for years.

This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.

Yeah IMO it sounds like the same vulnerability as the other one but re-packaged. There's a way of installing non-legit apps without the app store and you need to directly choose to do so in order for it to work.

It's not like a Windows worm virus where you just visit a random website, don't agree to anything and you (plus your entire network) are already infected.

 

[0xyMoron]

Stupid is as stupid does...........

Different people have different knowledge, it's Apple's job to protect iOS from all sort of Vulnerabilities big or small whether the hack execution requires a tech savvy or inexperienced user. Remember Apple did taunt Android's security, Google might as well go ahead and tell people they are inexperience idiots who got what they deserve. Any hack that manipulates the operating system is the responsibility of the OS makers before the user.

 

[Alenore]

"While the attack cannot replace stock Apple apps like Safari and Mail"

This is what maybe confused me, I'm guessing iCloud mail is safe?

Apps that come with the OS (notably those you can't delete, like Calendar, Mail, Weather, etc) are safe. Any other app that you installed at some point can be the target of this vulnerability.