'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

[trueluck3]

Am I Missing Something?

Is it me, or does this seem like a none-issue? I'm sure I could be missing something, but the FireEye team states: "We signed this app using an enterprise certificate." So you acquired this Enterprise certificate from where, the in-house IT personnel? Or is that what they mean, that this could be a targeted attack, on an in-house employee, performed by your own organization (or another rogue IT employee)? If that's what they're getting at, I suppose it's something to thing about, at least as a potential new employee. It's very obvious when installing provisioning files, and the team fails to include that process in their video. But, again, if they're simply suggesting an attack on a provisioned user, I get it. If a company allows you to BYOD, but requires that you utilize there provisioning server, you should be sure you trust them, or buy a separate, cheap phone, just for work. Otherwise, there's no way to side-load apps, and this is only an issue for members of a provisioning server, with sketchy employees.


That quote was taken from the FireEye blog post, not this article (of course), so you can read it there.

 

[rsocal]

^^
Absolutely this. Apple should be far, far more careful about how they hand out enterprise provisioning certificates and it shouldn't be possible to overwrite an app that was installed from the App store with an enterprise provisioned one.

I sure hope they put a stop to this, and shouldn't it be easy with coming update?

I have Apple Dev.account and I've yet to install 8.1 Beta update. No particular reason, just lazy. I haven't registered my 6 Plus as Dev.yet. But now I'm curious to see what's in beta update. I'll check today when home.....

 

[sracer]

Apple can't fix stupidity...

But when it happens on Windows it's because Microsoft is too stupid to get it right.

 

[MH01]

If you're dumb enough to fall for this attack, it's likely that you don't have much money or valuable intellectual treasures to be stolen in the first place, and your email content might as well be public domain.

With that said, I think apple should either disable enterprise installations by default, or provide a scarier prompt (like the one on OS X) when installing apps outside of App Store.

ignorance or arrogance , maybe both..... Either way , you need to hang with some normal people and not geeks.

The second paragraph I agree with.

 

[brianvictor7]

Enterprise apps are not served via App Store you dummy.

Dude, there's a nice way of correcting someone. This ain't it.

 

[bushido]

My uncle would so do that. Every time I clean his computer there are like 5 toolbars, searches and browser hijackers installed

 

[shingo1]

What if I am not a gmail app user?

The heck looks pretty scary. But what if I don't use gmail app on my iPhone? Of course I don't ever click on those kind of strange links anyways...

 

[macenied]

Bye, bye malware and virus free Apple world. What the haters have now against Windows, the beloved "intuitive UI" or that "it just works" ? It does not.

 

[MatrixRoland]

So this only affects those set up for enterprise right?

 

[trueluck3]

^^
Absolutely this. Apple should be far, far more careful about how they hand out enterprise provisioning certificates and it shouldn't be possible to overwrite an app that was installed from the App store with an enterprise provisioned one.

I agree about overwriting AppStore apps, as there are better ways to handle provisioned limitations on apps. But how else would they deliver an enterprise cert, than email? The FireEye team, no doubt, used a readily available cert for testing, and didn't take on the task of stealing one, or hacking one out of some IT director's email Inbox. How would this be achieved in a real world environment?

----------

So this only affects those set up for enterprise right?

That's what I'm saying...

 

[tito2020]

Matter of time apple pay will be next looks closer everyday.

 

[bawbac]

And Apple couldn't fix that GIANT hole in almost half a year?

Wow. Slackers.

If you bought an iPhone6/6+, you got Apple Pay.
Apple has been working hard to give you the features they desire.

 

[jpmd70]

Matter of time apple pay will be next looks closer everyday.

Do you even know how Pay works? Troll.

 

[rsocal]

Matter of time apple pay will be next looks closer everyday.

Still need a fingerprint.

 

[vault]

If you're dumb enough to fall for this attack, it's likely that you don't have much money or valuable intellectual treasures to be stolen in the first place, and your email content might as well be public domain.

Victim blaming

 

[RickInHouston]

Apple will patch this in 3, 2, 1.......

What month are you starting at?

 

[OldSchoolMacGuy]

Yeah IMO it sounds like the same vulnerability as the other one but re-packaged. There's a way of installing non-legit apps without the app store and you need to directly choose to do so in order for it to work.

It's not like a Windows worm virus where you just visit a random website, don't agree to anything and you (plus your entire network) are already infected.

Exactly. This is like handing over the keys to the car. It's not like simply clicking a malicious link will do this. You have to click the link, then when it asks you if you want to install the certificate and gives your a BIG WARNING about how it could allow malicious content and to only trust it from trusted sources, then you have to enter your passcode. If you do all of that because you think you're getting some game, how is that anyone's fault but your own? What should Apple do? Should they make it so businesses can't install other profiles because there are a couple idiots out there?

 

[mercuryjones]

Still need a fingerprint.

Maybe he think you can steal fingerprints with this "hack"?

 

[jpmd70]

And just how long would it take to read 22,397 emails? Yikes!

 

[rsocal]

Exactly. This is like handing over the keys to the car. It's not like simply clicking a malicious link will do this. You have to click the link, then when it asks you if you want to install the certificate and gives your a BIG WARNING about how it could allow malicious content and to only trust it from trusted sources, then you have to enter your passcode. If you do all of that because you think you're getting some game, how is that anyone's fault but your own? What should Apple do? Should they make it so businesses can't install other profiles because there are a couple idiots out there?

If this is true, it seems more difficult, even for average users?

 

[brianvictor7]

So this only affects those set up for enterprise right?

It may indirectly affect you depending on what personal information you've shared with the person who fell victim to the malicious software. What if, for example, the mal-app accesses the contacts tab and gets your number and email? What if it gains access to important shared files stored in some cloud service? I don't know how far the mal-ware could reach, but the possibilities are rather scary.

 

[rsocal]

Maybe he think you can steal fingerprints with this "hack"?

Seems very difficult, also does not store CC number on phone.

 

[Leonick]

Got to love how every time there is a new "big security vulnerability" in iOS it's just enterprise provisioning profiles being misused. It's a complete non-issue for anyone but the most gullible of users, of course, like phising mail, those gullible users are the target...

Probably would be a good idea to prevent apps from being overwritten.

So this only affects those set up for enterprise right?

Well, no. You don't need to have an enterprise profile installed for this to work. What it does is lead you to a page that when you click to install the supposed app you'll get a pop up asking you if you want to install the enterprise profile which will in turn install the scam app. They're misusing enterprise profiles to basically sideload a scam app.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

They're still there on iOS 8. Settings -> General -> Profiles as before. Shows up under iTunes Wi-Fi sync and VPN (so besides Reset it's the bottom). It only shows if you actually have any profile installed though, that might be different from iOS 7.

 

[D.T.]

If the user has an enterprise provisioning profile installed, then an attacker can get the user to install an application which replaces an app already installed on the device. That application will need to be signed with the key used to generate the provisioning profile.

In other words, this will only work if:

1. The attacker gets an Apple Enterprise Developer account and creates a provisioning profile
2. The attacker somehow convinces the user to install the provisioning profile
3. The attacker then convinces the user to install an app through a link using ad-hoc distribution

Yeah, the articles on various sites seem to be skipping the item in bold. That needs to occur before the link to install an app, it’s a two-step process, and the first will generate a message about installing a Provisioning Profile.

Regardless, I’m surprised even an Enterprise distributed app doesn’t get it’s package identifier checked against all known apps to prevent collision (I never really considered this, because our app PID is most certainly unique [reverse domain + appname]), and certainly there could/should be a mechanism that validates the package ID vs. Profile vs. Cert for validity (i.e., without owning the correct Cert, you can’t overwrite an existing app by just having deployment authorization from an Enterprise profile).

If you are referring to companies directing their employees to download software from their own company websites, then you are correct that some companies do this. This should not be a problem. I'd say someone is clicking links they ought to know better than to click.

I have an Enterprise app, distributed through this same mechanism, but the install occurs from a specific web page, on an internal domain and the whole process is clearly documented as part of the organization’s security policies and procedures (which are pretty rigid).

 

[rdlink]

Apple can certainly block this type of vulnerability. No one is asking them to fix stupidity.

Well said and the thrust of what I was saying before. People are concentrating on the wrong details...

And so what would you have them do about organizations such as ours, who use it for legitimate reasons, and push apps down via our MDM?

Rule #1 of internet safety: Do not click links without verifying that the person who sent it to you is: A. Legitimate, and B. Intended to send it to you.