PatriotInvasion
macrumors 68000
While I agree with this, there is a perception that iOS is invincible. Plus, there are enough non-tech savvy people with iPhones that will have no clue that they should stick to the App Store for all installs.
'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
- Thread starter MacRumors
- Start date
- Sort by reaction score
While I agree with this, there is a perception that iOS is invincible. Plus, there are enough non-tech savvy people with iPhones that will have no clue that they should stick to the App Store for all installs.
brianvictor7
macrumors 65816
This sounds like how it should be.
MasterRyu2011
macrumors 65816
Wait..is it possible that you can side load apps in iOS if you owned a non-enterprise device? On Android, you have to turn on "install from unknown sources," -- is there an equivalent to that in iOS?
I'm looking at my iPhone 5's settings and I'm not seeing anything.
I'm looking at my iPhone 5's settings and I'm not seeing anything.
hovscorpion12
macrumors 68040
Just because the vulnerability is there, there is no reason Apple needs to rush to fix this. Because in order for the Masque attack to work, it needs the user to open a link via messages. If the link takes them anywhere other then the App store, you have to be really unintelligent to not know that's its a malware or "hack". Plus it ASKS you to click install said app or not.
nagromme
macrumors G5
You have to get through some warnings before you can install an enterprise provisioning profile, don't you?
We tech-savvy forum goers would never ignore such warnings. But the flaw still should have been closed before now. People shouldn't HAVE to be savvy to be safe. "Almost" safe isn't Apple's best effort.
I think iOS asks you that question for each individual source (an "enterprise"--your employer, by intent). Rather than for the phone as a global setting, which would be extra dangerous, Android-style.
But I haven't seen the steps actually done.
We tech-savvy forum goers would never ignore such warnings. But the flaw still should have been closed before now. People shouldn't HAVE to be savvy to be safe. "Almost" safe isn't Apple's best effort.
I think iOS asks you that question for each individual source (an "enterprise"--your employer, by intent). Rather than for the phone as a global setting, which would be extra dangerous, Android-style.
But I haven't seen the steps actually done.
centauratlas
macrumors 68000
They can stop an app installing over another app outside the app store if it is signed by a different organization. E.g. if the official gmail app is not signed by Google, it can't replace it.
Last edited:
D.T.
macrumors G4
You can distribute an app through a simple HTTP(S) link, _if_ the user downloads a provisioning profile for the app. Here’s a shot from Xcode that shows the Enterprise distro configuration - you can see it generates a link to the IPA which is an iOS app store package (FYI, an IPA is actually a ZIP of the selected binaries, support files, etc.
)
centauratlas
macrumors 68000
All of the enterprise market which loads custom apps this way without going through the app store - as the article mentioned.
If you are an IBM employee and see an email from "it@ibm.com" saying, we have an update for [some app that IBM uses in the enterprise environment] click the link to install it, you are going to get a TON of people installing it because they have done it many times before not realizing that it@ibm.com has been spoofed.
Then those people shouldn't complain when their identities get stolen.
Sigma4Life
macrumors member
This is the proper solution I believe. It won't stop people from downloading new malicious apps but at least it'll protect the data for legitimate apps already installed.
Waughy
macrumors 6502
No, just no.
Adding gate to any issue is just stupid. Watergate was huge, none of these issues come close. People need to leave the gate attached to the fence where it belongs.
On topic, stick to the app store. If an email or SMS seems suspicious, it probably is, don't click the links, delete it. Simple.
If you're jailbroken, just be very careful with what you install outside the app store.
rsocal
macrumors 6502a
Does Apple employ people to look for flaws, such as security or buggy software? I'm sure they do something to check for security holes that can be exploited?
If not, it would be something to think about. Get some real hackers, and tell them to exploit anything you can in iOS OSX etc.
Or, am I way out off, and they just wait for issues to pop up?
If not, it would be something to think about. Get some real hackers, and tell them to exploit anything you can in iOS OSX etc.
Or,
am I way out off, and they just wait for issues to pop up?
Tzerlag
macrumors regular
I like when this vulnerabilities get discovered when we know Apple is nearing an iOS update (8.1.1 this time) because we get more fixes
I believe they first warned Apple back in July.
JGRE
macrumors 65816
Yeah, right. You get a message from un unidentify source telling you there is a new app. When you download the app, you get notified about its (obscured) source. You have the app installed and replacing the original app, still you haven't noticed anything.........REALLY????????
So, the roque app looks and does exactly the same as the original one without any difference? Hard to believe (in the video it is even flappy bird versus gmail......)
What I learned from this video is:
don't install apps from unknown sources
do not use G-Mail.
Actually there is nothing really wrong with iOS, hopefully Apple comes up with a fix to close this once and for all.
So, the roque app looks and does exactly the same as the original one without any difference? Hard to believe (in the video it is even flappy bird versus gmail......)
What I learned from this video is:
don't install apps from unknown sources
do not use G-Mail.
Actually there is nothing really wrong with iOS, hopefully Apple comes up with a fix to close this once and for all.
Last edited:
I don't have to worry about such things because (in full disclosure) I don't work for Apple. Therefore - I am not responsible for coming up with a solution for this issue with iOS. That's for Apple to figure out.
And regardless of your internet rule #1 - the issue should be addressed.
glenthompson
macrumors demi-god
Internet 101. You can't fix stupid. Maybe we need to have tests before using computers/smartphones just like we require them for driving.
abhibeckert
macrumors 6502
Anybody who works for a company with an in-house app. It only costs a few hundred bucks to get a certificate and allows deployment outside the store.
There will be an alert asking if you trust the app developer, with the name of the company who owns the certificate in the alert. You can't lie about the company name either, it has to match the DUNS registration.
Also, Apple can and does revoke these certificates, which will make it impossible to launch the app on every iOS device worldwide.
You know what else you can't fix apparently? People that don't read entire threads....
brianvictor7
macrumors 65816
Thanks for the info! Didn't know about the DUNS.
JGRE
macrumors 65816
There are actually two issue:
1. a trick within iOS which should not be there
2. users who are complete idiots
If you install new flappy bird from china and don't even notice that a false gmail is being installed, please don't buy any computer, phone or tablet because you are not up to it. This could happen btw also from in fresh install in the sam way.
Actually this puts a new dimension to the definition of 'fool proof'.
Tzerlag
macrumors regular
I feel your pain.
Pre-teen nephews looking for free games. Teen nieces looking for free movies and music. And a 50 y.o. BIL who falls for any and all click bait.
The video is a proof of concept. Given enough time, attackers will come up with some pretty clever (and not so clever) ways to get you to tap through.
It only takes one user to click the link from the random "good samaritan" and then it could be configured to start sending messages to everyone in that user's contacts list. _Then_ you could get a message from someone you know with a link to download the "New Flappy Bird", maybe then it doesn't sound so obviously bad.
Installing a fake app much more difficult than the article describes:
1. The "evil" app needs to be signed by Apple after an enterprise developer uses their credentials to request a signature. If a malicious app appears, then we will know which business created it. In other words, it's like a thief that must sign his work with his name, address, and payment information (all necessary to get an enterprise account).
2. Of course, someone can steal out an enterprise's signing credentials, but credentials can be revoked. Stealing passwords is easy, though, so this could definitely be done.
3. The user must accept that a third-party provisioning profile be installed on their device before the app will install. This is not normal, so for most people, it should be enough to let them know something is extremely fishy.
4. The user must allow an app to be installed directly without using the App Store. Smart users will know that this is unusual, so they be suspicious.
5. When a compromised app is discovered, Apple can remotely remove it or turn it off.
All that said, Apple's lack of attention to detail is very upsetting in what seems to be an obvious compromise. It especially aggravates me that Apple hid the provisioning profiles installed and that Apple doesn't check bundle IDs against the creator of the app. I love the devices and the software Apple creates, but they can be very sloppy.
1. The "evil" app needs to be signed by Apple after an enterprise developer uses their credentials to request a signature. If a malicious app appears, then we will know which business created it. In other words, it's like a thief that must sign his work with his name, address, and payment information (all necessary to get an enterprise account).
2. Of course, someone can steal out an enterprise's signing credentials, but credentials can be revoked. Stealing passwords is easy, though, so this could definitely be done.
3. The user must accept that a third-party provisioning profile be installed on their device before the app will install. This is not normal, so for most people, it should be enough to let them know something is extremely fishy.
4. The user must allow an app to be installed directly without using the App Store. Smart users will know that this is unusual, so they be suspicious.
5. When a compromised app is discovered, Apple can remotely remove it or turn it off.
All that said, Apple's lack of attention to detail is very upsetting in what seems to be an obvious compromise. It especially aggravates me that Apple hid the provisioning profiles installed and that Apple doesn't check bundle IDs against the creator of the app. I love the devices and the software Apple creates, but they can be very sloppy.