In the past few weeks, security researchers have discovered vulnerabilities in iOS that could potentially compromise sensitive data on iPhones and iPads.
Masque Attack
Researchers at the FireEye security firm have discovered a exploit in iOS that they’ve dubbed the “Masque Attack” in reference to the potential for malicious software to masquerade as legitimate apps while stealing sensitive information, including passwords and emails.
In a demonstration by FireEye, they presented an example attack in which a user is sent a text message touting a new “Flappy Bird” game with a link to install it. Upon clicking the link, the user is taken to a web page asking to install the “game.” Accepting the installation actually overwrites the user’s Gmail application, replacing it with a near identical version of their email inbox. The new malicious email app now has access to the original app’s data and can send the information to the attacker.
FireEye notified Apple about the exploit in July, but the vulnerability continues to exist in the latest iOS 8.1.1 beta.
While the consequences of such a vulnerability are potentially very extreme, the practicality of exploiting this venue of attack is not.
In order to make use of the Masque Attack, the attacker must either possess an enterprise developer account or acquire a device’s universal device identifier (UDI). Obtaining a UDI is a difficult endeavor and would only be useful in specifically targeted attacks.
Enterprise development tools are used for distributing proprietary in-house iOS apps to employees within a company, and if an attacker has access to those tools, they could sign their malicious apps with enterprise security certificates, allowing for third-party installation of iOS apps outside of the App Store. However, Apple has the ability to revoke enterprise certificates at any time, disallowing the app from functioning.
Defending against the Masque Attack should be as simple as paying attention to where you’re downloading apps from. If it’s not from the official App Store, it’s probably not the best idea to install it.
WireLurker
The Masque Attack follows the discovery of “WireLurker,” a vulnerability recently discovered in iOS that uses similar enterprise certificate exploits.
WireLurker could infect Macs through users unknowingly downloading malicious code that would install a Trojan on that user’s system. The Trojan would then wait for any iOS devices to connect to the computer via USB, then grab information from the device, including the user’s phone number, and send the information to the attacker. WireLurker would then infect the iOS device, installing software on it without the user’s permission.
Apple has reportedly prevented WireLurker infected apps from launching on iOS since its discovery, which was mainly targeted at users in China downloading apps from a third-party app store.
Again, the best safeguard against these attacks is to be very careful of what you download and install on your devices.
By Alfredo Dizon, eParisExtra