'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

[Tzerlag]

The heck looks pretty scary. But what if I don't use gmail app on my iPhone? Of course I don't ever click on those kind of strange links anyways...

Gmail was just the example for demonstration purposes. It could be any non-standard Apple app.

 

[b0nd18t]

I know personally I have clicked links to apps to download that redirect to the app store. macrumors.com, and almost every tech blog all do app links. Some of you guys act like it would have to be from some seedy obvious link, when it could be from a website.

 

[JGRE]

I know personally I have clicked links to apps to download that redirect to the app store. macrumors.com, and almost every tech blog all do app links. Some of you guys act like it would have to be from some seedy obvious link, when it could be from a website.

The sites you mention are hardly the sites that spread rogue apps.....

 

[AlecZ]

"iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta"
Sooooo is my iOS 7.0.6 safe?

 

[Keirasplace]

We just had an article saying iOS was like 60% of phone activations in businesses, right? Some companies could use that to steal datas from competitors, or stuff like that.

Yes this is a pretty bad vulnerability, maybe it doesn't affect everyone (obviously not since you need provisioning profiles and stuff like that installed). Like, just make gmail or any other app crash.
The average user would delete it and reload it, but the malicious code would have been executed without the user even knowing something bad happened.


(But hey, since people seem to be obsessed with China/NSA, maybe they used that thing for years to steal all our datazz )

This is a phishing type vulnerability. The vulnerability is more in the total idiocy of the people receiving those things.

It probably needs a fix, but one that will keep the original delivery channel they're using mostly intact.

Restricting this too tightly will create side problems since they are using a legitimate way to get in.

People authorizing malware installation on their desktops are the same.

 

[Michaelgtrusa]

Pay is a real tempting target for evil.

 

[WrQth]

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

Confirmed that on iOS 8.1 installed profiles do show if there is a profile installed. What I can't speak to is whether the Profiles menu is seen if there is no profile installed in iOS 8.1.

 

[Keirasplace]

I know personally I have clicked links to apps to download that redirect to the app store. macrumors.com, and almost every tech blog all do app links. Some of you guys act like it would have to be from some seedy obvious link, when it could be from a website.

If it comes from a website you trust, that website would also need to be compromised; that's a major effort just to get into a few phones. If a major web site is compromised, the hackers probably can get you in many other ways without even having to get to your phone directly... Say skimming your passwords and then getting into all your other accounts all over the internet .

 

[bozzykid]

Who installs apps from non official app stores?? I never did that even when I had an Android.

That has nothing to do with this issue. The link isn't taking you to an app store. The user isn't browsing a 3rd party store. They are clicking a link and having it install over an existing app.

 

[coolfactor]

It's interesting that this doesn't work for stock Apple apps... why not? What's different about the stock apps from third-party apps? Aren't they all protected by the same mechanisms?

 

[wxman2003]

i have a laugh when people like yourself get hacked and don't even realise it....

Just cause someone is not tech savvy , does not make them stupid.

And after years of apple telling people they are safe, and only PCs and android have issues, why on earth should they be worried about a link to an App. Think before posting!

So what you are saying is people click on links without thinking. It's good that it's always the fault of someone else and not the actual person who doesn't think. I would bet these are the same people that use password as their password. I'm not saying it shouldn't be fixed, perhaps Apple needs to prevent ALL sideloading.

 

[Keirasplace]

Pay is a real tempting target for evil.

They can't access the secure element even if they had root, which they wouldn't even have in this case. All pins are entered with Apple's keyboard so there is no way to skim them. If you access your own bank through their app, that would be dangerous; but it has nothing to do with Apple pay.

 

[bozzykid]

It's interesting that this doesn't work for stock Apple apps... why not? What's different about the stock apps from third-party apps? Aren't they all protected by the same mechanisms?

Stock apps can't be updated, so this wouldn't work obviously.

 

[MasterRyu2011]

That has nothing to do with this issue. The link isn't taking you to an app store. The user isn't browsing a 3rd party store. They are clicking a link and having it install over an existing app.

If I'm using a non-enterprise ios device --- just a regular old iphone from the carrier, will it be able to install this rogue app also?

 

[macfacts]

So this basically affects stupid people who click on links to sideload apps.

You seem to think the attacker can't replace the link text with "click here to win a prize" ...

 

[StyxMaker]

old people

I'd be willing to bet ten times more young people would click on such a link and load malware than would 'old people'.

 

[miamialley]

It won't affect us, but it will get people who don't know better.

 

[Michaelgtrusa]

They can't access the secure element even if they had root, which they wouldn't even have in this case. All pins are entered with Apple's keyboard so there is no way to skim them. If you access your own bank through their app, that would be dangerous; but it has nothing to do with Apple pay.

My instincts are telling mr that they will find a way, but I hope you are right at least for now.

 

[AlecZ]

It's interesting that this doesn't work for stock Apple apps... why not? What's different about the stock apps from third-party apps? Aren't they all protected by the same mechanisms?

For one, stock apps are kept in /Applications, and store apps are in /var/mobile/Applications.

 

[opfreak]

lol all these apple fans dismissing this hack as minor, would be ripping on MS if it happened to them.

Most windows infections start this way. Some noob clicks on some link and installs something they shouldnt

 

[wikiverse]

Hmmm, these malicious users are crafty and must really have time on there hands to come up with these workarounds.

Still, I delete spam messages, don't open strange emails, and never click ads on any webpage so I'll roll the dice and keep using my iOS devices.

You don't need to click ads for the App Store to launch. It happens to me regularly.

It's not hard for someone to build a pop-up web page to look like the App Store. People could easily think it is the App Store anyway since apple allows safari and ads in apps to launch the actual App Store to a particular app without any user action at all.

 

[69Mustang]

Exactly. This is like handing over the keys to the car. It's not like simply clicking a malicious link will do this. You have to click the link, then when it asks you if you want to install the certificate and gives your a BIG WARNING about how it could allow malicious content and to only trust it from trusted sources, then you have to enter your passcode. If you do all of that because you think you're getting some game, how is that anyone's fault but your own? What should Apple do? Should they make it so businesses can't install other profiles because there are a couple idiots out there?

Too stupid for their own good and idiots. Hmmm. Do you kiss your wife with that mouth? just kidding. Not every person is an IT guru. Fact is the majority of the public isn't overly tech savvy. Moreover, even those who consider themselves tech savvy, and read tech forums, may not know everything you think an idiot should know. Examples below of tech savvy people who are not idiots, but don't know everything. We all can't be OldSchoolMacGuy.

You're "old school" MR. Surprised you resorted to Yahoo/Facebook level commentary. Idiots and stupid.

I though it is impossible to install apps from non office app stores unless it is jailbreak with appsync to do so?

Something doesn't make sense here... Isn't this issue limited to jailbreaked devices ?

Apple better reading this and take it serious to patch asap. This doesn't make any sense since such hacks can only happen in the jailbreak community but now it spread to non-jailbreak device as well. I just delete my gmail app right after reading this post.

Who installs apps from non official app stores?? I never did that even when I had an Android.

Also more importantly... Why would you answer a text/email from someone you do not know?

Apologies to you all for using your quotes as examples of tech savvy people who don't know everything. In no way am I equating any of you with idiot or stupid.

 

[derbladerunner]

Can the pop-up (asking the user to install the app) be somehow circumvented or bypassed by the attacker automatically?

That would be truly scary.

If I understood correctly, the user at least needs to manually click "Install" after following the malicious link (?).

 

[C DM]

Got to love how every time there is a new "big security vulnerability" in iOS it's just enterprise provisioning profiles being misused. It's a complete non-issue for anyone but the most gullible of users, of course, like phising mail, those gullible users are the target...

Probably would be a good idea to prevent apps from being overwritten.



Well, no. You don't need to have an enterprise profile installed for this to work. What it does is lead you to a page that when you click to install the supposed app you'll get a pop up asking you if you want to install the enterprise profile which will in turn install the scam app. They're misusing enterprise profiles to basically sideload a scam app.



They're still there on iOS 8. Settings -> General -> Profiles as before. Shows up under iTunes Wi-Fi sync and VPN (so besides Reset it's the bottom). It only shows if you actually have any profile installed though, that might be different from iOS 7.

Unfortunately it seems that for the most part things have changed in iOS 8 in relation to profiles: in many instances you don't get prompted to install them and don't even see them on the device itself: http://stackoverflow.com/questions/...eta-4-xcode-6-beta-4#comment41038167_25132712

(I've dealt with this directly when I installed a beta of an app I was helping to test, where there was no prompt to install a profile and there was no way to remove it from the device short of going to Xcode and digging in there and trying to remove it from there.)

 

[mercuryjones]

lol all these apple fans dismissing this hack as minor, would be ripping on MS if it happened to them.

Most windows infections start this way. Some noob clicks on some link and installs something they shouldnt

Except, this "hack" requires you to install enterprise provisioning first and then click on a link from a SMS/email. And THEN click on the install app popup. And THEN realize that the app that you just went to install, isn't there. And THEN just forget about it.

Seems like a simple thing, doesn't it?