This should have been fixed back in July when they were told about it.. So this is no excuse. But this should have been fixed the latest by monday night.. Its a double no excuse...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
U.S. Government Warns iOS Users About 'Masque Attack' Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
this is probably a really dumb question... but is it even possible for an everyday user to install an app that isn't from the app store? (assuming that it isn't jailbroken)
i know that you can install 3rd-party apps on a Mac easy enough, but i didn't think an out-of-the-box iPad or iPhone would allow it.
i know that you can install 3rd-party apps on a Mac easy enough, but i didn't think an out-of-the-box iPad or iPhone would allow it.
Don't be stupid
Why is there even a government warning. Don't download random apps from third party app store, duh. Who does that anyway.
----------
I bet she gets hacked on her windows computer all the time.
----------
Non-issue for 99.9999% of the users.
Why is there even a government warning. Don't download random apps from third party app store, duh. Who does that anyway.
----------
I bet she gets hacked on her windows computer all the time.
----------
Non-issue for 99.9999% of the users.
Does the "average user" know not to tap "Install" buttons after they've been sent a message with a link for something to look at? Huge deal for most users. You know we all ARE idiots. The Obamacare author said so, and I haven't heard anyone in the government contradict him.
(did not read through thread yet) Im not to sure about what other people use their mobile Apple devices for, or how they use them. But since i bought my original iPhone, all the way up to now with my iPad air 2 and (warped) iPhone 6, I've never felt the need or desire to try and download apps from a website. If I'm incorrect, please let me know. If an android user downloads apps off of the web, couldn't the same thing happen to them? Wasn't it the android app store or google play where an app was up for sale thats primary purpose was to steal information? I think the Gov is making a stink about this because Apples dedication to its users privacy. just a thought. What do you guys think?
I have one. This is the page where the exploit was discovered and released:
http://www.fireeye.com/blog/technic...ue-attack-all-your-ios-apps-belong-to-us.html
It says, "security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."
It also says, "By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier."
I've done iOS development and know that this requires a provisioning profile (separate from the app certificate) onto the device in order to install the app. This provisioning profile install requires user input, e.g. tap "Install" when prompted.
***The App Store apps don't do this!***
Apps that were created via a Developer Account or an Enterprise Developer Account (in this case) and are being installed via iTunes (drag and drop, not via the Store) or Xcode are the only types of apps that go through this process of first installing a provisioning profile.
Unless your iOS device is JailBroken (not a good idea unless you're well versed in computer/network security) or you install applications that your company develops and distributes internally via an Enterprise Developer Account, you have nothing to fear.
Of course, if you do JailBreak your phone or install out-of-App-Store apps, then don't click and install provisioning profiles unless you know for a fact where they and the app came from!
If you are a developer, you should know that you can easily embed the provisioning profile right into the app bundle. Just name it "embedded.mobileprovision" and put it into /Payload/.app. There is no need to install the profile separately. This works with both ad hoc and enterprise profiles. And in iOS 8, Apple has practically made the provisioning profiles invisible to the end user. Neither is there a separate prompt for its installation, nor is it visible in the settings afterwards.
ipa bundles that have been signed with a valid enterprise distribution certificate (no matter if it's legit or stolen) and include a matching provisioning profile will install on any iOS device with one tap. It does not need to be jailbroken, nor does the user have to have any profile pre-installed.
If Apple can't prevent users, what makes the government ?
It's still a warning... are users more likely to listen to the government than Apple (the device it came from) ?
I'm even amazed this flaw is so serious it actually requires the governments to speak out about...
It's still a warning... are users more likely to listen to the government than Apple (the device it came from) ?
I'm even amazed this flaw is so serious it actually requires the governments to speak out about...
Well Well Well..
So let me get this straight. The US Gov is scaring people about Apple now. New level of low. I can't wait for some one to dig up the dirt on who authorized this press and why. I smell it. It stinks of some political bs. hmmm. The FB ey'rs hate the security features of ios8. all of a sudden some *******s in CHINA pull this shizz while MR.Prez is signing new trade agreements with them. I smell BS. looks like it, feels like it, tastes like it... The Gov just stepped in it. Hello AppleGov gate. and.. who just got voted into power. ah, the good ole days. buying stock in popcorn so I have plenty to watch the new, same 'ol good times ahead.
I hope Apple levels a multi-billion dollar lawsuit.. then we'll all hear the crys with tears as big as horse turds. Bad Apple, bad bad Apple.
So let me get this straight. The US Gov is scaring people about Apple now. New level of low. I can't wait for some one to dig up the dirt on who authorized this press and why. I smell it. It stinks of some political bs. hmmm. The FB ey'rs hate the security features of ios8. all of a sudden some *******s in CHINA pull this shizz while MR.Prez is signing new trade agreements with them. I smell BS. looks like it, feels like it, tastes like it... The Gov just stepped in it. Hello AppleGov gate. and.. who just got voted into power. ah, the good ole days. buying stock in popcorn so I have plenty to watch the new, same 'ol good times ahead.
I hope Apple levels a multi-billion dollar lawsuit.. then we'll all hear the crys with tears as big as horse turds. Bad Apple, bad bad Apple.
Yeah, but you act as though installing it with the app, or without the app would make an actual difference to a user who is ready to install just about anything on their phone from anywhere
.The problem is that provisioning is usefull and how do you plug this without making it a mess. Having app upgrades require an actual prompt(saying you are about to upgrade app X with app Y) instead of a silent install would make this a lot less of an issue, having a warning when the app certificate doesn't match the certificate of the upgraded app would make it doubly secure (this would still allow someone to replace an enterprise's own app, but if an intruder knows about that app, you are probably already looking at an inside job and you have more to worry about than this issue), since an app couldn't impersonate an app.
No, they want you to have the option to not automatically install any application that hasn't been vetted by them. It's your right to 1) know that your system is installing an application, 2) to know if it's been vetted, and 3) whether to lock a non-admin from being able to install unvetted applications. How horrible that you had to 'adjust' your security settings, in order to give you more security options...
Well, IMO there are really two issues that make this dangerous: (1) The fact that any signed app bundle can replace an existing app on the device and access all its private data, and (2) that Apple has made it very easy to install apps outside of the app store using enterprise provisioning profiles. (1) is a real security flaw; Apple should only allow a bundle to replace an existing app if it was signed by the same developer. (2) is a design choice; apparently Apple doesn't want to confuse employees who install enterprise applications (keep in mind that those are not only technical people, but also administrators, managers etc.) and decided to basically hide the fact that a provisioning profile is being installed. Both are bad choices IMO.
This summarizes the actual reality fairly well.
There's a flaw there, it might not be one that impacts or even would impact a lot of people, but it doesn't change the fact that the security flaw exists. Now that it's in the open and now that in iOS 8 all these profile installations can be essentially transparent, there's the potential of it being abused somewhat more than usual--that's not to say that suddenly everyone or even most people would be in potential trouble, but it is to say that the security flaw can have a larger impact than the more limited one it might otherwise have.
The underlying point is that it's there and it should be addressed.
I rarely see true examples of irony in real life. But .gov warning us about malicious players? Cake taken, eaten and pooped.
But to the issue at hand: How does this get patched without a lot of legit players that have been using this profile/enterprise stuff not immediately having a lot of their processes broken?
But to the issue at hand: How does this get patched without a lot of legit players that have been using this profile/enterprise stuff not immediately having a lot of their processes broken?
Not wanting to break other things is probably the reason why there isn't a fix for this right now. Apple on a case by case basis can revoke rogue certs right now to deactivate the bad apps. But, that's only a band aid.