At least on Android, you actually have to turn the "Unknown Sources" option on. In a way, Android is more secure than iOS as the ability to install iOS Enterprise certificates cannot be turned off or on.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
U.S. Government Warns iOS Users About 'Masque Attack' Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
At least on Android, you actually have to turn the "Unknown Sources" option on. In a way, Android is more secure than iOS as the ability to install iOS Enterprise certificates cannot be turned off or on.
The overwriting part is not the big issue. It is unlikely they'd be able to imitate the app they overwrite.
The issue is that they get all the apps data and bypass access control; they get access to whatever you gave access to for that app.
Not sure if there is a way to get an app started in a sandbox without the user starting it. But, eventually he'll probably click on the replaced app (in fact the false app) and even if it starts nothing for the users (he'll think it will have crashed), it could start the fake malicious app in the background. If they can chain their bots startup with the app startup, they could in fact not affect the original app at all. Just be started when it is accessed (wonder how that would show up in the task list?).
That bot could then access the contact list sms or mail everyone in the list to spread the mallware. They'd also transfer everything they can get from this sandbox to their own server. Since the email/sms/imessage would come from someone trusted, they'd be able to get more installs. Its a very old way of spreading malware and viruses.
Last edited:
The first two steps are done together when you click the link. It comes down to the user pressing "OK" at just one prompt.
Last edited:
On the contrary, that's very easy to do. They'd just decrypt the original app (using the same methods that pirates use), inject their malware, and re-sign it with their stolen enterprise distribution certificate. Indistinguishable from the original.
That, and since the app is not screened by Apple, they can also use undocumented private APIs, or even gain root privileges using the same exploits that are used for jailbreaking.
There are a number of methods. Since there is no screening, the app can e.g. claim VoIP entitlements which enables the app to be auto-started whenever the device is booted.
Don't think they can claim anything the sandbox doesn't already have without asking for it. You gained whatever the initial app had, nothing more.
The app is still installed inside the sandbox. The OS installed you there, you're not coming from outside it like in a jailbreak.
If access control is done properly, there's no way you get access to extra services and channels simply by being installed there with an unvetted API. Its a Unix under there, they haven't reinvented the wheel after all.
If I dump a random api into a non root account on my linux or freebsd box, I can do at most what I let it do. That's bad enough, no need to dramatize it further. It can do enough damage without having to compromise the OS if it hits the right app.
Also, Isn't there a per app encryption of data on IOS, it's not that simple getting out of a sandbox once your in it to get access to other sandbox's data (or even system data).
not apologizing or anything, but really this isn't an issue for anyone that doesn't have a jailbroken phone, or goes to some really shady sites on Mac and just downloads everything lol
An app doesn't have to ask the user for compile-time entitlements. The only thing preventing apps from claiming this kind of unauthorized entitlement is the Apple store review process, which doesn't take place for enterprise apps.
In the past, private APIs have allowed apps e.g. to monitor the user's touch input globally, or to intercept incoming SMS messages. Read this paper:
https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell
That's exactly what jailbreak exploits do.
This is unrelated to jailbreaks and certainly can easily exist outside of shady sites. It's not to say that it does or that it's widespread in some way, but it's not somehow limited to jailbroken devices or going to shady sites.
Why does that matter? The two things are completely separate and unrelated.
I've actually read the articles and its a rather badly written piece that seems to go way beyond its main point (which I agree with, provisioning needs to be improved); but I got most of the gist of it.
It sorts of mixes proof of concept things with actual exploits that have already been patched. Two of the major bug mentioned were actually in IOS 7 (one I remember was patched 9 months ago). The certificate revocation bug was also in 7.
I've tried to track the exploits used by Pangu, but the trace for this online is rather slim. They're not using enterprise provisioning or any of the bugs mentioned here (just 3 new ones) and their main exploit is going to be patched in 8.1.1.
So, again, yes an issue. But lets not go crazy here
This is basically a broken as designed issue, not a bug in a traditional sense of the word.I also disagree with them that Apple should let third party security vendors free to install whatever crap they want on IOS. That's just a very ugly kludge that soon becomes unworkable since those internals are mostly undocumented and are not meant to provide a something stable to a third party. They are for Apple's dev teams' own amusement. Only Apple is supposed to play with them.
Just to put this in perspective, I got 20 security updates (large ones) on my windows 8.1 machine in one month... Lord knows what's left unpatched! And 8.1 is 1000 times better than XP!
60%+ of Android phones are left unpatched forever no matter how bad the bug is and become bots for whoever wants to use them.
Last edited:
That's a bunch of bull honky! I don't believe for one second, "America" has become near as illiterate and blundering as you paint us. There are a lot of stereotypes out there -- the fat, power-scooter, diabetes laden, machine gun toting image that some minds think at the word, 'American' is my least favorite of them. Granted there are a few people out there that might fit the mold (entirely unfounded stereotypes aren't logical), but I believe only a tiny part of the iPhone user base would ever be ignorant enough, especially given all this coverage, to fall for this trick.
That's harder to judge, but I at least wouldn't deny that.
----------
FYI this isn't true. You don't need a jailbroken phone or a Mac to install apps (including malicious ones) through Safari on dev profiles. So you still have to keep an eye out.
Correct, I wasn't trying to single out iOS users. :=)
----------
You may want to watch this: http://youtu.be/VMqcLUqYqrs
Open your mind... Americans are lazy, reliant on others, and generally sheep which follow. Not what this country (yes, I'm American) was founded on, nor what made this country formerly the greatest country in the nation. For you to disagree, it's furthering the above points.
Except on a company computer, you won't be able to do rm -rf /... I'm not sure you can block a company iPhone to prevent dumb people from accepting enterprise signed trojan - especially since many of these people will be used to accepting their enterprise signed legitimate apps... And the problem is that nowadays, a lot of people have sensitive information on their business phone...
I guess that's why your government is issuing a warning. Besides it seems american people are prone to do stupid things - at least, that's what I gather from the litany of insane warnings I get in the English parts of most of the manuals of products I buy... If it's a given in your country that people should be warned about every dumb things, it's pretty reasonable to warn them about a real security risk that could hurt a lot of business...
Yeah, it's not like stupidity and/or ignorance doesn't exist and even prevail throughout the world in general.
Not sure if this has been pointed out yet, but... Enterprise Provisioning Profiles. The only way to obtain these is from Apple for $$$. The moment Apple notices someone exploiting this vulnerability they can revoke the certificates.
So, yeah, this vulnerability is way overblown. The only way to exploit it is if you're a registered company and even if you did exploit it, Apple would immediately terminate your enterprise program membership.
There's no real threat.
So, yeah, this vulnerability is way overblown. The only way to exploit it is if you're a registered company and even if you did exploit it, Apple would immediately terminate your enterprise program membership.
There's no real threat.
The people at Emu4iOS or whatever it's called now got away with distributing their unacceptable (to Apple) apps for about a week (?) on whatever profile they were using before Apple took them down. After that, people had to set their dates back to use them.
SMS data is not in the same directory as Gmail. I suppose they are probably using private APIs to access the SMS data.
