Apple has long said that one of the main selling points of the iPhone and iPad is that they are more secure than their Android counterparts. Apps are sandboxed, meaning that downloading one app doesn’t affect what happens in another.
There are also only a couple of places from which users can install apps: Apple’s App Store, the place where billions of publicly available apps are loaded, and through the enterprise/ad-hoc provisioning that some companies and developers use to test and deploy their apps.
The ability to load apps not yet available on the App Store is very useful for companies who wish to deploy just apps to just a few users or for developers to beta test applications before release.
However, the ability to install apps outside of the App Store is a point of vulnerability, and security research firm FireEye has discovered a potential malware attack that would allow a malicious actor to replace a normally installed app — say one from a bank or email provider — with a near-perfect replica that sends data back to the hacker.
The vulnerability has been confirmed to exist in iOS 7.1.1, 7.1.2, 8.0, the current iOS 8.1, and the 8.1.1 beta — both on jailbroken and non-jailbroken devices.
Each app on the App Store has a so-called bundle identifier, a numeric name that makes the normal-language name of the app superfluous. If a malware app is given the same bundle identifier as a standard App Store app, it can be installed over it if the user can be enticed to click on a link on a website or email message.
This means that a carefully designed and targeted link to an app download could be sent to an executive or politician, with a socially engineered message “from” an associate meant to entice a user download of a “new game” or some other innocuous app.
Once the malware link is clicked, the user is prompted to install an app, but not through the App Store. A well-crafted email could easily fool less-technical (or even more technically inclined) users. The demonstration happens completely over the internet, not requiring the user to connect to a computer.
FireEye has created a video demonstration of the hack, nicknamed the Masque Attack:
Users should make sure not to install applications from third-party sources other than Apple’s App Store or a trusted user within their organization. They should also never click “Install” on a third-party web page, no matter what the app purports to be, as the app can disguise itself and then install and replace an existing app.
Finally, if iOS shows an alert saying an app was built by an “Untrusted App Developer,” click “Don’t Trust” and delete the app immediately.
FireEye says the vulnerability has been disclosed to Apple for months, but iPhones and iPads remain vulnerable. IT departments should ensure vigilance when installing apps from any non-standard sources.
Update: Apple issued this statement to iMore:
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
Additionally, the US Government has issued an official warning about “Masque Attack.”
Does your company have a plan to maintain integrity of employees’ iOS devices? Let us know in the comments below.
Updated 12:45 p.m. Nov. 14 with a statement by Apple.