US-CERT warns iOS users of Masque attack

Oops, they did it again – found an exploitable vulnerability in the iPhone and iPad operating system that could enable attackers to access users’ personal information, that is. Last week, researchers with California security company FireEye announced a new bug called Masque and released a video that demonstrates how an iPhone could be compromised through this new attack.

The United States Computer Emergency Readiness Team (US-CERT) posted an alert on Thursday, November 13^th (TA14-317A) that lists potential consequences of an exploit:

• A fake app can be installed that will mimic the original app’s login interface to steal the victim’s login credentials.
• The app can access sensitive data from local data caches.
• The app can perform background monitoring of the user’s device.
• The app can gain root privileges to the iOS device.
• The fake app may be indistinguishable from a genuine app.

Here’s an example of how it works: the attacker can send the user a URL that purports to include a link to install a new version of a popular app (in the case demonstrated by FireEye, a game called Flappy Bird). The unsuspecting user, thinking it’s a harmless update, follows the link and all appears to be well. The user is asked to confirm that he/she wants to install the game, a normal procedure.

However, instead of installing Flappy Bird, the software installs a version of the Gmail app that’s been modified to send the contents of the user’s mailbox – and all of the personal information therein – to the attacker’s server. And that’s not all; the attacker can also access and read any text messages that the phone receives. Depending on how the user uses the phone, this double whammy could result in the exposure of a tremendous amount of information, some of which could be confidential.

This is a particularly insidious attack because the fake Gmail app is a good imitation of the real one, so a user is not likely to notice the change. If you don’t use text messaging (my husband and I actually have the service blocked on our phones), your risk will be reduced. However, there’s another “gotcha”: since email (and SMS, if you do use it) is often used for resetting your password and providing codes to activate various services, so these could be intercepted by the attacker.

Gmail is just an example of a legitimate app that can be mimicked. Any app other than the ones that are built into iOS is at risk of being imitated. The risk can be mitigated by exercising precautions about installing apps; in other words, only install apps that you’re sure can be trusted and don’t install third party apps from sources other than Apple’s store. If you start to open an app and get the message “Untrusted App Developer,” select “Don’t trust” and uninstall the app.

As is often the case, Apple responded by downplaying the risk. Apple issued a statement that said, in part, “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

It’s true that Apple’s built-in safeguards will protect many iOS users from this exploit. However, if an attacker has a Developer Enterprise account with Apple, the app can be signed with that certificate and will install on any device. However, FireEye, in a blog post titled All Your iOS Apps Belong to Us, seems to believe it’s a little more serious than Apple lets on.

Those who are likely to fall victim to this attack are people who have jail broken their devices and who install apps from sources outside the Apple store. Unfortunately that applies to quite a few tech savvy iPhone users, and some that aren’t all that technical but dislike being limited by Apple’s “walled garden” approach. If that describes you or the users you support, this is a vulnerability you’ll want to pay attention to.