Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

U.S. Government Warns iOS Users About 'Masque Attack' Vulnerability

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,701
39,620



The United States government today issued a bulletin warning iPhone and iPad users about the recent "Masque Attack" vulnerability, a security flaw that first surfaced on Monday of this week, reports Reuters. Masque Attack is a vulnerability that can allow malicious third-party iOS apps to masquerade as legitimate apps via iOS enterprise provision profiles.

Written by the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams, the bulletin outlines how Masque Attack spreads -- luring users to install an untrusted app through a phishing link -- and what a malicious app is capable of doing.
An app installed on an iOS device using this technique may:
-Mimic the original app's login interface to steal the victim's login credentials.
-Access sensitive data from local data caches.
-Perform background monitoring of the user's device.
-Gain root privileges to the iOS device.
-Be indistinguishable from a genuine app.
Click to expand...
The post also advises iOS users to protect themselves by avoiding apps that have been installed from sources other than the App Store or an organization they're affiliated with, avoiding tapping "Install" on third-party pop-ups when viewing web pages, and tapping "Don't Trust" on any iOS app that shows an "Untrusted App Developer Alert."

Masque Attack in action
Computer security alerts issued by the government are fairly rare, and only 13 have been sent over the course of 2014. Other vulnerabilities that have prompted alerts include Heartbleed and an SSL 3.0 flaw called "Poodle."

FireEye, the team that discovered Masque Attack, has notified Apple about the vulnerability, but it has not been patched in the recent iOS 8.1.1 beta thus far. It also affects iOS 7.1.1, 7.1.2, 8.0, and 8.1, and as of today, Apple has not yet commented on Masque Attack.

Masque Attack, along with WireLurker, another vulnerability outlined earlier this month, is unlikely to affect the average iOS user so long as Apple's security features are not bypassed. Masque Attack works by circumventing the iOS App Store to install apps, while WireLurker is similar, infecting machines via third-party software downloaded outside of the Mac App Store.

Both WireLurker and Masque Attack can be avoided by staying away from suspicious apps and avoiding links that prompt users to install apps outside of Apple's App Stores.

Article Link: U.S. Government Warns iOS Users About 'Masque Attack' Vulnerability
 
Article Link
https://www.macrumors.com/2014/11/13/us-government-masque-attack-warning/
"iOS Enterprise Certificates".

Then it isn't a security flaw. I love how this Apple-centric site fails to mention that you actually have to install the certificate. This is blown way out of proportion!
 
I wonder how difficult this will be for Apple to patch. I don't know much about iOS programing so I don't know how deep this security flaw runs.
 
"unlikely to affect the average iOS user so long as Apple's security features are not bypassed"

Problem solved. Huge deal for nothing.
 
  • Like
Reactions: SeattleMoose
SolarShane said:
"iOS Enterprise Certificates".

Then it isn't a security flaw. I love how this Apple-centric site fails to mention that you actually have to install the certificate. This is blown way out of proportion!
Click to expand...

Sadly a large part of the iPhone user base will click ACCEPT to anything that pops up, without even reading it. It's what America has become... we don't read, then we complain we've been scammed.
 
Did they just blow past the part where the app signed by an Enterprise Certificate asks you if you trust the developer before launching the app?

I am very curious how they are getting at the phone call and SMS database though.
 
SolarShane said:
"iOS Enterprise Certificates".

Then it isn't a security flaw. I love how this Apple-centric site fails to mention that you actually have to install the certificate. This is blown way out of proportion!
Click to expand...

If the US government is putting out an official warning, then it's not being blown out of proportion.

Stop apologizing for Apple. This is exactly how these situations come about in the first place: Too many people excusing Apple for problems with their software instead of pressing them to fix the problems.
 
So - You only want apps that you get from the app store.

Don't apps have to be from the app store unless your phone is jailbroken?
 
Traverse said:
I wonder how difficult this will be for Apple to patch. I don't know much about iOS programing so I don't know how deep this security flaw runs.
Click to expand...

Unfortunately the only way I see this being patched is making things more difficult for the developers.

I can see it now.... "Enterprise builds require full App Store approval" and are downloaded through some backdoor in the App Store.

They could possibly do something around bundle identifiers and make us register them and be globally unique. But that's only going to prevent an attacker from replacing the legitimate app.

Moral of the story, the user will always find a way to screw something up if they ignore warnings.

----------
JackieInCo said:
This doesn't mean that it's not safe to Jailbreak your phone or iPad either.
Click to expand...

If you're downloading apps from the Jailbreak app stores you're at the same risk.
 
Why would anyone download an iOS app from a third-party website, especially from a link you receive via SMS? I'm smart enough to know to only install and update apps through iTunes/the App Store.
 
spectrumfox said:
If the US government is putting out an official warning, then it's not being blown out of proportion.

Stop apologizing for Apple. This is exactly how these situations come about in the first place: Too many people excusing Apple for problems with their software instead of pressing them to fix the problems.
Click to expand...

I agree that excusing them doesn't help moving forward, but this has been blown out of proportion. I used to work at the NCCIC and the vast majority of the unclassified bulletins that were released discussed rather mundane and generally well known topics of security. The bulletins are just to increase awareness.
 
So something that was demonstrated at a conference over a year ago by one of the well known Jailbreakers and even at that time security researchers admitted it wasn't a big deal and you'd have to be a complete moron to fall for it is now a big deal? Stupid.
 
KdParker said:
So - You only want apps that you get from the app store.

Don't apps have to be from the app store unless your phone is jailbroken?
Click to expand...

With an Enterprise Certificate you can download company specifc apps outside the AppStore.
 
So let me get this straight. In order to be impacted by this you have to:

Prerequisite: Have an Enterprise Certificate on your device that allows for apps to be downloaded outside of the app store

1. Receive an SMS message from someone you don't know
2. Click the link in the message which will <don't really know> download some app to your device that will *look* like an app you already have?

Honest question about how this happens...
 
KdParker said:
So - You only want apps that you get from the app store.

Don't apps have to be from the app store unless your phone is jailbroken?
Click to expand...

No, if they are signed with an enterprise certificate than they don't have to come from the AppStore - they work on every device, jailbroken or not. But if you start an app the first time and it was signed by an enterprise profile, it will tell you who signed it and if you want to trust that developer .... that is the part where people that think tap no and people that don't think tap yes.
 
This is cute. Reminds me of how the IT guys at Berkeley keep warning us about the existence of computer viruses in the rad cyberspace when you're surfin' the interweb. And, technically, I am in violation of campus tech rules by not having antivirus on my Mac :rolleyes:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back