[This-may-steal-your-identity-and-all-your-money ALERT]
"Oh noes this is all so confusing. Whatever shall I do?!"
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
U.S. Government Warns iOS Users About 'Masque Attack' Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
[This-may-steal-your-identity-and-all-your-money ALERT]
"Oh noes this is all so confusing. Whatever shall I do?!"
Yeah but ... I understand a lot about the Apple ecosystem and yet still have an answered question.
Which is ... does this attack REQUIRE that you have already installed an Enterprise Certificate from someone/somewhere?? Or does the "trojan" app come with an embedded certificate??
I believe that the answer is (1) -- that there has to be an Enterprise Certificate already on the iDevice, but I'm not sure of this (and can't test it myself). Can anyone provide a definitive answer?
Fix what problem? If you need to install and trust a certificate to be vulnerable as the other poster said (IDK whether that's true), then it's not a problem. It's like complaining about being allowed to run "sudo rm -rf /". But I think the guy you're replying to is wrong in his information anyway. You shouldn't need to manually import any certificates to be vulnerable. BUT you should have said something about that instead of accusing him of being an apologist.
The trojan app installs in the same directory as the original. "All ur data is bilong us."
To be fair, we've had to accept untrusted SSL certificates to use the real Google.com and other legit sites in the past because they accidentally let their certificates expire. More loosely, we all accept EULAs without reading because they're extremely long and usually not important. There are too many things that "cry wolf".
I am not certain, but I think it's deeper. The problem, as I understand it, is that the install process does NOT walk the cert chain to ensure that the new app comes from the same developer as the original app. If this is so then it is a real "oh ******" on Apple's part. But details are still murky and I'm not certain.
Last edited:
I have no definitive answer, but I know that you don't need a certificate already installed to download other apps from outside the App Store. It doesn't seem like the situation would be different for apps that replace legit ones.
As much as trivial and "common sense"ish this may seem, there is absolutely nothing wrong with this type of warning. I don't understand the hate for it. If the US government released a warning about "please lock your doors at night.." will people be fundamentally against that also?
We have a lot warning labels on cars, on machines, on prescription drugs..this is no different.
We have a lot warning labels on cars, on machines, on prescription drugs..this is no different.
Might make Apple actually fix this, since, you know, it is actually a vulnerability. No app should be capable of overwriting other apps and reading the data from the app that it overwrote, even if you have a certificate on your device and the app has to be maliciously crafted.
Having the US government comment on the security of an Apple product negates the idea that Apple products are infallible. And apparently that upsets some people.
I think people are upset because, AFAIK, they don't release similar warnings about attacks on other OSs.
No - it can install on any device. Enterprise Profiles are meant for in-house distribution of in-house software, but can be installed on any device.
However, if you start the app signed with the enterprise profile for the first time, it will prompt you and ask you if you want to trust this profile from developer XYZ .... just use common sense and you will be safe.
The big f* up from Apple is that apparently the 'bad' app can have the same name (internal name, which is usually prefixed by the company id) as existing apps and will overwrite that one without questions .... so you should get suspicious if you e.g. open the gmail app and it will tell you "this app was signed by "CIA development" - do you want to trust the developer "CIA" ... better say no, since you know that gmail was not developed by the CIA and apps from the AppStore will never prompt you to trust unknown developers.
Agree...but this is Apple again not getting ahead of the news. A simple warning right on the front page would have silent everybody. You will see Apple responding right away now.
As many have said, I don't know how this would get solved without causing pain for others. In my company's intranet, we constantly get links to download updates to our internal applications and we just click install without thinking about it.
In a close contest this statement about the biggest lies won 2nd place:
I'm from the government. I 'm here to help!
A simple google search brought me a few examples of the government warning against Android security flaws and internet explorer.
http://bits.blogs.nytimes.com/2013/...arning-about-security-on-android-phones/?_r=0
Great minds...
I was just about to type nearly the same reply!
In order for this attack vector to work you have to be installing an iOS app, not from the App Store, using an "iOS enterprise provisioning profile" that is supplied by an Enterprise licensed company (that you presumably work for).
If you don't work for a company that distributes its own iOS apps to employees, nor have an "iOS enterprise provisioning profile" on your iOS device (which can be easily deleted, btw) then you're not at risk ... at all!
I was just about to type nearly the same reply!
In order for this attack vector to work you have to be installing an iOS app, not from the App Store, using an "iOS enterprise provisioning profile" that is supplied by an Enterprise licensed company (that you presumably work for).
If you don't work for a company that distributes its own iOS apps to employees, nor have an "iOS enterprise provisioning profile" on your iOS device (which can be easily deleted, btw) then you're not at risk ... at all!
It's like saying "Only install Sandboxed Apps on your Mac - warning!" - heck, I had to adjust my security settings just to install Adobe software and MS Office. This "new" feature in OS X bugs the crap outta me...they "only" want you to get your programs from THEIR online App Store...and pay Apple every cent...really??? Most hi-end software from 3rd party developers is not on the Mac App store. Even something like VLC must be downloaded from the web....and your Sandboxing "allow everything" has to be selected. Doh!
That's because you don't. The provisioning profile can be embedded in the app bundle itself, so no separate installation is necessary. Since iOS 8 there is also no separate warning that the profile is being installed, and it is no longer visible to the end user in the settings. You are prompted to install the app itself, but it's just a simple dialog box that doesn't look like an urgent warning.
One does wonder why they weren't more proactive.
Sorry you have to live in that environment. Well, at least you have an iPhone for work, so it isn't all that bad.
Maybe Apple could provide a dedicated Enterprise App Store app that companies could send all of their updates through: each company would get its own specialized Enterprise App Store app.
Just read some of the threads on this very forum about things like Gameboy emulators, Moviebox etc. ...
I disagree with you there. The OP clearly said they have released 14 warnings this year. Maybe 2 have concerned Apple directly. In this forum at least, it definitely seems people are defensive simply because
. The worst part is the condescension: ... only stupid people ... gotta be an idiot... morons... other derogatory crap.
Meanwhile in our reasonably tech savvy forum it's pretty obvious that we don't know the full details about the attack. Does the cert have to be already installed or is a fake cert inserted along with the package? Does Apple verify if the cert originates from somewhere different? If not, why don't they? How does this attack overwrite the original app and access the original's data? The people denigrating the masses don't seem concerned about it. defense seems to be the priority.Point is, it's a notice for everyone (not just tech nerds) to be more mindful. How is that a bad thing? If anything it makes people more aware and possibly willing to learn more about their devices.
Last edited:
You hit the nail on the head with most security issues. Apple did it right with "as you go" security access during app operation instead of a huge "Accept" button before the app even runs. I'd like to see this "as you go" become policy industry wide so the user knows what they are permitting instead of reading a huge document that gets in the way of app operation.
----------
Just like don't mess around with the girl on the street without protection.
How can you explain this to a 45+ years old Man or Woman? or a 14 years old girl? Here's the thing, you can't and should never expect everyone to be internet smart, this is something Apple needs to address, and the whole "I'm too smart to fall for this" notion doesn't work in this scenario, it amazes me how far people are willing to go just to clear Apple's record from any responsibility, this way of thinking is exactly the reason why since the news broke till this moment Apple didn't say a word or patched the security hole, maybe you know your way around, check MR everyday or online security blogs but you can't expect everyone else to be alerted as well or wise enough to avoid this.