Masque Attack Alert: iOS App Data in Peril

Written by

Security experts are warning of a major security threat which could allow malicious copycat apps to take the place of their legitimate namesakes on iOS 7 and 8 devices, and in so-doing steal sensitive user data.

The so-called ‘Masque Attack’ affects jailbroken and non-jailbroken devices and was taken advantage of in limited form by the WireLurker malware disclosed last week.

However, it’s more dangerous than that because it doesn’t need a USB connection to infect iOS devices – it can also work over the internet, replacing authentic apps and stealing data, according to FireEye.

The security vendor explained its research in a blog post:

“In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like ‘New Flappy Bird’) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier.”

This could enable attackers to replace a banking or email app, for example, with a malicious alternative displaying the same UI, enabling them to harvest user credentials.

In addition, data under the original app’s directory, including local data caches, remains in the malware local directory after the authentic app is replaced – allowing the malware to steal said data, which could include local caches of emails, FireEye explained.

It’s difficult for mobile device management software to distinguish between the malware and original app as they use the same bundle identifier. Masque Attacks can also be used to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, the firm claimed.

Apple iOS 7 and 8 users were urged to protect themselves from attack by not installing apps from third party sources; not clicking ‘install’ from any pop-up on a third party web page; and to uninstall immediately if an app displays ‘Untrusted App Developer’ during installation.

FireEye said it alerted Apple to the flaw on July 26 but felt it necessary to go public after seeing proof that the issue has “started to circulate.”

What’s hot on Infosecurity Magazine?